CompuMail Receives SOC 1 Type II and SOC 2 Type II Attestations, PCI Compliance, HIPAA Security Rule Compliance, and FISMA Compliance

Concord, CA – CompuMail, a direct mail company, today announced that it has completed its SOC 1 Type II, SOC 2 Type II, PCI, HIPAA, and FISMA audits. Compliance with these standards verifies that CompuMail has the proper internal controls and processes in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA and PCI QSA firm, performed the audit and appropriate testing of CompuMail’s controls. SOC 1 Type I is a reporting on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 18 auditing standards and focuses on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. The SOC 1 Type I audit report includes CompuMail’s description of controls as well as the detailed testing of its controls at a specific point in time.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 service auditor reports focus on a Service Organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of CompuMail’s controls to meet the standards for these criteria.

The PCI Data Security Standard is a complex security standard that focuses on security management, policies, procedures, network architecture, software design, and other critical protective procedures.  These security standards are relevant to any merchant or service provider that uses, stores or transmits information from a payment card. In accordance with the PCI Security Standards Council, KirkpatrickPrice’s Qualified Security Assessors tested CompuMail’s controls that are relevant to the storing and transmitting of information from credit, debit, or other payment cards and assisted CompuMail in becoming PCI compliant.

The Health Insurance Portability and Accountability (HIPAA) Security Rule is a national standard set for the protection of consumers’ Electronic Protected Health Information (ePHI). The ePHI that an organization manages must be protected from anticipate breaches by mandating a Risk Assessment and implementing appropriate Physical, Administrative, and Technical Safeguards. HIPAA laws are regulated by the Office for Civil Rights (OCR) and are meant to protect unauthorized use and disclosure of ePHI.

The Federal Information Security Management Act (FISMA) is a United States legislation, enacted as part of the Electronic Government Act of 2002. FISMA’s intent is to protect government information and assets from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems. CompuMail’s FISMA audit was based on the National Institute of Standards and Technology (NIST) Special Publications 800 171 rev. 1 and 800-53 rev. 4.

Stephanie Kaster, EVP and Chief Sales Officer at CompuMail, stated, “CompuMail understands how critical privacy, security, and reliability are to both our business and that of our clients. We recognize that data is one of the most valuable assets we have these days, which is why we’ve established strong quality management practices to protect and maintain data integrity while hosting and processing our clients’ data. Safeguarding data and ensuring compliance with the highest industry standards is of utmost importance to us and we demonstrate this by continuously adding to our list of externally validated certifications.”

“Many of CompuMail’s clients rely on them to protect sensitive consumer information” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “As a result, CompuMail has implemented best practice and industry-accepted controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the direct mail solutions and services provided by CompuMail.”

About CompuMail

CompuMail cultivates partnerships with our clients to ensure that they receive the best results, under the highest level of data security, at the most competitive price.  We provide mailing and communication services, with a real-time portal to meet your management and oversight needs.  Technology changes, business changes, but our commitment to service doesn’t.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 800 clients in more than 48 states, Canada, Asia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

“Alexa, what’s the weather like in Nashville today?” Amazon’s Alexa, Apple’s Siri, the Google Assistant – the list of voice assistants and voice-enabled devices seems to just keep growing. “Hey Google, could you set an alarm for 8:00 AM tomorrow?” Their basic goal is to make our lives easier, right? Through voice assistants’ language processing abilities, they can complete all types of tasks – stream music, set an alarm, take notes, order products, smart home functionality, and integration with other applications. Voice assistants and voice-enabled devices live in the bedrooms, kitchens, and living rooms of millions of users. Voice assistants and voice-enabled devices are simultaneously helpful and vulnerable; what threats do they pose to data privacy? How do companies protect the data that users give Alexa, Siri, and the Google Assistant?

Amazon’s Data Privacy Worst Case Scenario

Under GDPR, any EU data subject may request that a company send them the entirety of the data collected about them, so a German Amazon user did just that. Amazon sent back fairly average findings – Amazon searches, orders, etc. – but also 1,700 voice recordings and transcriptions. The issue? This user doesn’t own any Alexa-enabled devices. He listened to the voice recordings to see if they were connected to him in some way but concluded that it was an error on Amazon’s part. When he discovered this information leak, the user contacted Amazon but never heard back.

This story broke when the user went to a German magazine c’t with his concerns, which eventually led to the identification of the voices in the recordings. C’t reported, “We were able to navigate around a complete stranger’s private life without his knowledge…The alarms, Spotify commands, and public transport inquiries included in the data revealed a lot about the victims’ personal habits, their jobs, and their taste in music. Using these files, it was fairly easy to identify the person involved and his female companion. Weather queries, first names, and even someone’s last name enabled us to quickly zero in on his circle of friends. Public data from Facebook and Twitter rounded out the picture.” This case is proof that even when users don’t think they’re giving up personal data to voice assistants, the culmination of that data can lead to a full picture of who they are, where they are, their habits, and their community. Our digital footprints reveal so much about us. Voice assistants must store or have access to stored personal data in order to personalize the user experience, resulting in a cycle that is ever-increasing users’ digital footprints.

In an effort of due diligence, c’t decided to contact the user behind the voice recordings. C’t report, “We couldn’t find a phone number, so we used Twitter to ask the victim to contact us. He called back immediately and we explained how we found him. We had scored a direct hit and Neil Schmidt (not his real name) was audibly shocked when we told him about the personal data Amazon had sent to a stranger. He started going through everything he and his friends had asked Alexa and wondered what secrets they might have revealed. He also confirmed that we had correctly identified his girlfriend.”

Lessons Learned from Amazon Alexa Data Collecting Mistake

Obviously, with the purchase of voice-enabled devices and use of Alexa, Siri, or the Google Assistant, a user is agreeing to terms and conditions that address data privacy concerns, but when these terms and conditions aren’t upheld by the data controller or processor, the foundation of trust is damaged.

Amazon’s reaction to this data privacy incident was disappointing. The first misstep occurred when Amazon didn’t even notice their mistake. Then, when the user notified Amazon of the data privacy incident, he reported that Amazon never responded. When Amazon did recognize this incident, there was seemingly no timely notice to a data protection authority or the victim. After c’t got involved, Amazon finally contacted the user and victim about the mistake and an Amazon spokesperson stated, “This unfortunate case was the result of a human error and an isolated single case.” Was Amazon planning to respond to this case, or did the media attention prompt them to address the situation?

The benefit of regulations like GDPR and CCPA are new ways to hold organizations accountable for securing data subjects’ personal information. Building customer trust is a difficult task in this day and age; digital consumers are fearful of unwanted follow-up, sales pitches, cold calls, and spam. Organizations that demonstrate a commitment to privacy regulations like GDPR and CCPA have the potential to rebuild the trust that many digital consumers have lost. This trust, in turn, may actually result in greater sharing of personal data.

The paranoia around voice assistants and their listening-in abilities will, hopefully, not fade anytime soon. Users must be aware of the relationship they’re creating with companies like Amazon, Google, and Apple by inviting them to listen into their lives. Likewise, data controllers and processors must protect personal data with the appropriate controls and care.

If any data privacy regulations apply to your organization, contact us today to avoid situations like this. We want to empower your organization to protect the data you hold and ensure the privacy of your customers.

More Data Privacy Resources

CCPA vs. GDPR: What Your Business Needs to Know

Privacy Policies Built for GDPR Compliance

Investing Where It Matters: Unbounce’s Commitment to GDPR Compliance

Independent Audit Verifies QIRT’s Internal Controls and Processes

Floral Park, NY – QIRT, a home health and hospice billing, coding, and consulting company, today announced that it has completed its SOC 1 Type II audit. This attestation verifies that QIRT has the proper internal controls and processes in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA firm, performed the audit and appropriate testing of QIRT’s controls that may affect its clients’ financial statements. SOC 1 Type II is a reporting on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 18 auditing standards and focuses on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. The SOC 1 Type II audit report includes QIRT’s description of controls as well as the detailed testing of its controls over a minimum six-month period.

“QIRT places the value of quality at the forefront of our company’s mission,” explained Laura Page-Greifinger, President and CEO of QIRT. “Auditing and re-auditing our internal controls ensures that we continue to deliver the highest quality service available to our clients. This attestation reaffirms to the post-acute industry that we don’t merely speak about quality: we act as a true partner, requiring quality internally so we can provide it externally. I am proud of our employees and the operations staff in particular who have set up the appropriate processes to maintain quality and security.”

“Many of QIRT’s clients rely on them to protect consumer information,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “As a result, QIRT has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by QIRT.”

About QIRT

In 2006, QIRT was founded by President/CEO Laura Page-Greifinger, BSN, MPA who worked within the post-acute provider space for over 30 years as a nurse, supervisor, and clinical consultant. QIRT’s initial service was providing multiple types of quality assurance reviews and coding. QIRT has since expanded services to the entire post-acute space including assessment review, hospice coding and eligibility reviews, QAPI audits, and ADR response.

All care providers have workflow processes or operations that create a patient journey from initial referral through reimbursement. The workflow requires quality assurance, education, compliance, and operational strategy within each step of a comprehensive and cyclical process, what QIRT calls: Quality Cycle Management (QCM). QIRT has acquired three post-acute service companies and formed five specialized divisions designed to support post-acute agencies throughout the quality management cycle.

QIRT’s employees undergo vigorous vetting prior to hire and continued oversight and monitoring monthly to maintain top-notch compliance. The company works 24/7/365 days a year.

In 2017, QIRT was named to the 2017 Inc. 500/5000 List of Fastest Growing Companies for the fifth consecutive year. As a leader in the post-acute support industry, QIRT earned the position of 1486, showing a three-year growth of 273%. Inc. magazine reports that companies making this list have, on average, grown six-fold since 2013 in the face of an economy that grew just 6.7 percent during that time. Of the thousands of companies who have applied for this distinction, only 7% have made the list five times, placing QIRT on the Inc. 5000 Honor Roll.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 800 clients in more than 48 states, Canada, Asia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Independent Audit Verifies Wowrack’s Internal Controls and Processes

Seattle, WA – Wowrack, a cloud service provider, today announced that it has completed its SOC 1 Type II audit. This attestation verifies that Wowrack has the proper internal controls and processes in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA firm, performed the audit and appropriate testing of Wowrack’s controls that may affect its clients’ financial statements. SOC 1 Type II is a reporting on the controls at a service organization, established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 18 auditing standards and focuses on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place over a period of time. The SOC 1 Type II audit report includes Wowrack’s description of controls as well as the detailed testing of its controls.

“The reliability and security of our facility is of the utmost importance to us,” said Erward Osckar, Managing Partner at Wowrack.  “This is now our 7th consecutive year undergoing the rigorous SOC 1 audit.  We have a responsibility to our customers to continue providing best in class service, and the auditing process attests to the efforts we make in the backend to ensure the highest level of service.”

“Many of Wowrack’s clients rely on them to protect consumer information,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “As a result, Wowrack has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by Wowrack.”

About Wowrack

Founded in 2001, Wow Technologies, Inc. (dba Wowrack) is a cloud service provider; offering various Hosting services including Private Cloud Hosting, Hybrid cloud infrastructure, Backup and Disaster Recovery Solutions, Dedicated Server Solutions, Colocation and more. Our competency includes being able to design, provision, implement, manage and monitor compliant and high traffic web applications that require scalability, fast performing and secure infrastructure.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 800 clients in more than 48 states, Canada, Asia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Independent Audit Verifies Innovative Architects’ Internal Controls and Processes

Duluth, GA – Innovative Architects, a SaaS provider, today announced that it has completed its SOC 2 Type I audit. This attestation provides evidence that Innovative Architects has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 audit reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s audit report verifies the suitability of the design of Innovative Architects’ controls to meet the standards for these criteria.

“We are extremely excited to announce this positive report of attestation through KirkpatrickPrice. This audit further supports our dedication to excellence and consistently providing top-notch levels of service and processes for our customers,” states Scott McMichael, President of Innovative Architects. “Our greatest value is to be trusted advisors to our customers and help them further their goals and successes.”

“The SOC 2 audit is based on the Trust Services Criteria. Innovative Architects has selected the security and confidentiality categories for the basis of their audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “Innovative Architects delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Innovative Architects’ controls.”

About Innovative Architects

Innovative Architects is a Microsoft Gold Partner specializing in using leading-edge, proven technologies to build practical solutions to business problems. In January 2019, Innovative Architects was acquired by Improving, a technology consulting and custom software solution company whose mission is to elevate the perception of the IT professional through practices and environments of trust. For more information, please visit improving.com.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 800 clients in more than 48 states, Canada, Asia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.