Main Content Start

How USPS Keeps Your Sensitive Data Secure

Man on laptop while sitting next to servers to illustrate protection against data breaches
September 30, 2016

Your security matters

At USPS® we take our cyber security responsibilities seriously. Protecting the data of our customers, partners, vendors and suppliers is paramount. After the 2014 data breach in which some sensitive information was exposed, we took a hard look at our policies and procedures and made changes to improve how our sensitive data is protected.

What You
Should Know

USPS has taken major steps to improve data security for our vendors.

What You
Can Do

In the event your business suffers a data breach, consult with your lawyer(s) to discuss risks, liability and action steps.

In 2015, 500 million personal records were exposed worldwide.1

Secure Data-Handling Procedures Outlined

At USPS, we classify supplier and customer information into four categories: sensitive, sensitive-enhanced, critical-moderate and critical-high.

Sensitive data consists of:

  • Private information about individuals
  • Confidential business information (i.e., trade secrets, proprietary information, financial information, supplier proposal information and source selection information)
  • Data susceptible to fraud such as accounts payable, accounts receivable, payroll and travel reimbursement data

Sensitive-enhanced data includes information such as:

  • Law enforcement information and court-restricted information
  • Credit card data (also known as PCI data)
  • Personally identifiable information (PII) including information about individuals (e.g., employees, contractors, suppliers, business partners and customers) including but not limited to protected health information and wire or money transfers
  • Communications protected by legal privileges

Critical-moderate and critical-high information include:
Transactional and production data that would have severe adverse impacts on operations (such as shutting down systems or delaying mail delivery) or catastrophic impacts (such as bringing operations to a halt) if it were unavailable.

USPS policy for sensitive and sensitive-enhanced information:

  • Limit hard copy and electronic distribution to persons on a specific, job-related need-to-know basis
  • Destroy data that is no longer needed or remains past its retention date
  • Retain sensitive information in accordance with a retention schedule
  • Restrict the pickup, receipt, transfer and delivery of sensitive information to authorized personnel
  • Protect data on USPS workstations, laptop computers and hand-held devices against theft and/or disclosure to unauthorized individuals
  • Encrypt sensitive information in storage (i.e., at rest), in transit or stored off-site
  • Label any printed or electronic material considered sensitive as “RESTRICTED INFORMATION”
  • Ask that suspicious behavior of employees, contractors, suppliers or visitors be reported

Additional preemptive policies we employ:

  • Periodically check point-of-sale devices to ensure they have not been tampered with (i.e., skimmers have not been installed)
  • Encrypt all transmissions containing PCI data
  • Use dummy data for development and/or testing
  • Mask credit card numbers when displayed
  • De-identify or remove credit PCI data from removable media and audit logs
  • Physically secure all hard copy and electronic media containing PCI data
  • Log and track all media removed from any facility
There were 318 data breaches in 2015.1

At USPS we DO NOT:

  • Store sensitive or sensitive-enhanced information on devices not owned by USPS
  • Co-mingle sensitive or sensitive-enhanced information with non-USPS information
  • Remove sensitive or sensitive-enhanced information from USPS premises without approval in writing from the functional vice president (data steward) and chief information officer or their designees
  • Print sensitive or sensitive-enhanced information on printers where unauthorized people may see the output
  • Use e-mail, IM, chat, etc. or electronic means to send sensitive or sensitive-enhanced information unless it is encrypted
  • Discuss sensitive or sensitive-enhanced information in an open area where others might overhear the conversation
  • Send sensitive or sensitive-enhanced information by fax without management approval
  • Delete emails that include PCI or PAN information without de-identifying or encrypting the data

How USPS protects critical information

For critical information we:

  • Protect workstations, laptop computers and hand-held devices against theft
  • Require password-protected screen savers be engaged when leaving a device unattended
  • Store critical information in controlled areas
  • Back up the information regularly
  • Store back-up media offsite in a secure location
  • Do not leave critical information in an unprotected location
Skip to footer