Holding Mail Carriers Accountable to Reduce Identity Theft

Updated August 2020.

Private mail is a treasure trove of information for identity thieves. There are medical bills, credit card statements, checks, ID documents and more.

In one case in Yonkers, New York, 85 people were victims of mail theft, resulting in $660,000 in losses. Police arrested three men who stole 10 public mail bins — but the thefts continued. The officials involved in the investigation reported that it was possible the thieves obtained a master key through ties to former employees of the postal system.

Unfortunately, it’s not uncommon for identity thieves to exist within the postal service itself. Employees have access not only to high volumes of mail but also master keys to public mail bins and cluster box units (CBUs). The Postal Inspection Service reports that in 2019, there were 1,278 cases of mail theft. From October 2018 to September 2019, the Office of Inspector General investigated 1,264 internal mail thefts!

Fortunately, there’s a way you can address and prevent these thefts.

How to Reduce Insider Threats Through Key Control

Ensuring the safety of delivery equipment such as post office boxes, collection boxes and CBUs requires that you hold employees accountable for how they use keys. An effective key control policy requires that employees:

1. Only have access to keys required for their jobs
2. Use keys for the intended purposes
3. Report lost or stolen keys as soon as possible
4. Return keys at the end of their shifts

To reduce the risk of insider threats, the manual steps involved in meeting these goals should be automated wherever possible. Here are a few examples of how electronic key control helps improve employee accountability:

1. User Profiles — Rather than manually issuing keys, an electronic key control system controls access to keys based on specific user profiles. The system will also record when a key is removed, who removed it and when it’s due for return. To capture this information, some systems might require you to scan a key tag to update the log, while others will automatically record the transaction when the key is removed from the system. Again, the fewer manual steps required, the more secure the process is.
2. Real-Time Alerts — If the key is not returned when it’s due, some systems will send designated personnel a text or email alert.
3. Verifiable Audit Trail — Ensuring you have a verifiable audit trail of key usage can help with investigating security breaches. Even if someone accesses a key without going through the appropriate channels, the audit trail will help you identify who has used each key in the past and demonstrates that you took reasonable efforts to control access to your assets.

By implementing these measures, you can help ensure that employees use keys for their intended purpose. You owe it to citizens to minimize the risk of their personal information being stolen.