Maryland mail scare puts spotlight on mailroom security

Last week, two incendiary packages were sent to state office buildings in Maryland. The packages, which reportedly ignited and emitted a sulfur-like smell when they were opened, were addressed to Maryland Transportation Secretary Beverley Swaim-Staley and to Governor Martin O'Malley.

Yet another package, this one addressed to Homeland Security Secretary Janet Napolitano, ignited at a Washington, D.C. postal facility on Friday. While the motivation for sending these packages appears to be someone's personal vendetta against anti-terror public awareness campaigns by the DHS and state of Maryland, they highlight the importance of having secure mail screening facilities.

According to Ronald Heil, assistant vice president and senior security consultant for TranSystems, an independent consulting and security systems design firm, government agencies and private organizations alike need to realize how vulnerable they are to incidents like this and take proper precautions.

"Any organization, any building that has employees who could be upset at being fired, being disciplined or being passed over for promotions or pay is at risk. If the (organization) has customers, someone is always going to have a disgruntled customer; they are going to be at risk. And, of course, there is symbolism," he said. "If you happen to be a sub office of the IRS or in this case, the department of transportation... you are at risk because you are a symbol of whatever it is the disgruntled person has against (the parent organization). The point is you are not immune just because you are not a government agency."

Richard Coakley, director of mail solutions for Pitney Bowes Management Services, which provides mailroom screening services to large corporate entities in the U.S. and the UK, advises businesses and government agencies to conduct threat assessments that take into account such things as the technology being manufactured by the organization, any religious affiliation the company may have, political affiliations, economic and environmental considerations, as well as how the company's brand is perceived by both the public and private sectors.

While many suspicious packages have visible telltale warning signs, Coakley says that does not appear to be the case in this instance.

"As part of our training and security processes, there are usually 12 red flag warnings when inspecting a mail piece or a package, and based on information received from authorities, there were only one or two characteristics to the packages that would have been red-flagged; the use of postage stamps/clusters of stamps and over-paying for postage," Coakley explained. "In this case, it appears that an external visual check did not yield many abnormal warnings."

According to Coakley, there was also not a sufficient enough time lapse after the first package was opened to warn another state office about the potential for another incendiary device.

"When you consider the process involved, you have an emergency responder in one facility who has just responded to a threat. From there, communications from an emergency response team to workers in other facilities could not have happened in 15 minutes," Coakley said. "When people are working front line sorting the mail, they are not looking at text messages, and they should not have their cell phones on and operating at their work stations. When there is an emergency, the communication chain needs to run from emergency response to senior leadership, then distributed to anyone responsible for operating mail centers. From that point, the individual mail supervisors must take the e-mail communication onto the work floor and communicate to the workers to stop work. This process doesn't happen in 15 minutes."

Of course, one of the most important things an organization can do to mitigate some of the risks posed by suspicious package is to have a secure mailroom facility. Ideally, this facility would be located offsite away from the main office complex, but if that is not possible, Heil says it should be built on a ground floor and have a separate HVAC system from the rest of the building. It's also paramount, according to Heil, that an organization mandate that all packages being delivered either though the U.S. Mail or a courier service be sent through the mailroom first prior to being sent to the recipient.

In some cases, blow out walls to help protect the building's structural integrity from explosive blasts might also be a consideration. Basic X-ray screening technology, such as the ones used in airport security lines, can also provide an additional layer of security, according to Heil.

"There are certain types of screening technology and tools that are relatively inexpensive to purchase and practical for a company to deploy - for example, radiological pagers, dual-emitter X-ray screeners, an isolation box or glove box, and a table that can be used to place something on for further inspection," said Coakley. "The practicality of employing specific technology and other screening tools depends on an organization's/agency's threat level. That is why it is important to first conduct a professional threat assessment before embarking on a security program."

In addition to having a secure mailroom, one of the big keys in preventing a suspicious package from creating a major disruption at an organization is training.

"First of all, professional training of mail center workers and updating training periodically is key. Also, these workers need to have the right reminders around them in their work areas to help them stay focused on the task at hand," Coakley said. "For example, Pitney Bowes reminds its workers to remain vigilant in sorting the mail and the necessary processes to detect suspicious packages, screen them for hazards and how to protect themselves, through wall posters and other visual reminders posted throughout their work stations."

In addition to lost productivity, an incident like this can also wreak havoc on a business and its employees in other ways.

"Frequently, even if it's just a scare, it can create symptoms of post traumatic stress disorder in people and they start calling out of work and that costs you even more time," Heil said. "There were some injuries in this (incident) from what I understand with people having some burned fingers and they at least went to the hospital for a little while to get checked out. There is obviously a direct cost with the medical expenses right there. So, that's what you're looking at and this was not a serious device, as in an explosive that killed many people."

Heil also warned against a potential kneejerk reaction to this incident as happened in the aftermath of the 2001 anthrax attacks that targeted several media outlets and two U.S. senators.

"As I'm doing assessments these days and if I encounter someone who is in the mailroom now that was there then, they kind of snicker at how bad things got for a short period," he said. "And then in three of four years with nothing else happening, they had gone all the back to their old procedures. I think when you do have too much of a pendulum swing one way, it, like a real pendulum, swings just as far back the other way."

Coakley said he doesn't believe their will be kneejerk reaction on the part of lawmakers to this incident as receiving and sending mail is a critical element of government. He added, however, that it should serve as a reminder of the threats governments and corporations face via the mail.

"These events should serve as constant reminders that companies and government agencies must assess their threat levels and employ the necessary people, processes and technology in conjunction with their level of threat," he said. "Incidents such as those that occurred in Maryland remind us of the importance of being vigilant in our detection and screening processes, and of employing the right people and technology."