Brian Krebs at the Washington Post’s Security Fix points out that paper-based data breaches on the rise. Krebs cites statistics for the Identity Theft Resource Center, a San Diego-based nonprofit which says at least 27 percent of the data breaches disclosed publicly in 2009 stemmed from collections of sensitive consumer information printed on paper that was lost, stolen, inadvertently distributed, or improperly disposed of.
The ITRC has logged 125 paper breaches of the 463 incidents they recorded in 2009. These breaches were across all sectors, with businesses having the most followed by the government sector.
“Computers were supposed to take us to a paperless society, yet computers probably create more paper than before we had them because now we want a hard copy as well as what’s on the computer,” ITRC co-founder Linda Foley told Security Fix. “It’s a double danger of course because paper – especially when it’s just tossed in a dumpster somewhere – is not like data on a hard drive. It’s ready to use, it often contains the consumer’s handwriting and signatures, which can be very useful when you’re talking about forging credit card and mortgage applications.”
Stuart Ingis, a partner with the law firm Venable LLP in Washington, told Security Fix that many clients he deals with strictly speaking do not have a legal obligation to report paper-based breaches, but that most of his clients err on the side of caution.
Experts say that paper data breach incidents come to light in large part due to a proliferation of state data breach notification laws. Some 45 states and the District of Columbia have enacted laws requiring companies that lose control over sensitive consumer data such as Social Security or bank account numbers to alert affected consumers and in some cases state authorities. Concerned about the mounting costs of complying with so many state breach regulations, businesses often find it easier and cheaper to adhere to the strictest state laws. The current federal data breach notification proposals will preempt state measures and will allow paper-based breaches to go unreported because they would require notification only when data stored electronically is lost or stolen and are largely silent on paper breaches. Only Massachusetts and North Carolina currently require notification whether the data breach is in electronic or paper form.
rb-
When we talk to clients about information security and not just information technology security, we ask them to consider that lost paper documents are just as damaging to a company’s reputation should they get into the wrong hands as electronic data stored in an Excel spreadsheet or database server? But data on paper is just another form of data that needs to be protected by information security policies.
Related articles
- Identity theft and data breaches increased in 2010 (lexingtonlaw.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
The 
