Paper-based data breaches on the rise
By Brian Krebs | December 10, 2009; 6:15 PM ET
More than one quarter of data breaches so far this year involved consumer records that were jeopardized when organizations lost control over sensitive paper documents. Experts say those incidents came to light in large part due to a proliferation of state data breach notification laws, yet current federal proposals to preempt those state measures would allow paper-based breaches to go unreported.
According to the Identity Theft Resource Center, a San Diego based nonprofit, at least 27 percent of the data breaches disclosed publicly in 2009 stemmed from collections of sensitive consumer information printed on paper that were lost, stolen, inadvertently distributed or improperly disposed of.
Some 45 states and the District of Columbia have enacted laws requiring companies that lose control over sensitive consumer data such as Social Security or bank account numbers to alert affected consumers, and in some cases state authorities. Concerned about the mounting costs of complying with so many different state breach regulations, businesses often find it easier and cheaper to adhere to the strictest state laws.
Congress, though, is considering several federal data breach notification measures that would preempt existing state regulations.The three leading federal proposals, including a bill passed this week by the House of Representatives — and a pair of measures passed by the Senate Judiciary Committee last month, would require notification only when data stored electronically is lost or stolen.
“Computers were supposed to take us to a paperless society, yet computers probably create more paper than before we had them, because now we want a hard copy as well as what’s on the computer,” ITRC co-founder Linda Foley said. “It’s a double danger of course, because paper – especially when it’s just tossed in a dumpster somewhere – is not like data on a hard drive. It’s ready to use, it often contains the consumer’s handwriting and signatures, which can be very useful when you’re talking about forging credit card and mortgage applications.”
Still, it is frequently difficult to determine precisely how many consumer records are jeopardized in paper-based breaches. Indeed, often the closest measure of the size of paper-based data breach is the number of pounds of documents involved, Foley said.
“There was a case earlier this month in Missouri where 2,000 pounds of credit reports, blank checks and copies of Social Security statements were found in a dumpster,” Foley said. “Unfortunately, you pay by the pound for shredding these documents, and that’s the best measure we have sometimes.”
That incident, reportedly involving the former Battlefield, Mo. -based Nationwide Credit Counseling, exposes a frequent source of paper breaches: Companies that go belly-up. And with the ongoing recession claiming more and more companies each day, paper-based breaches are only going to grow as a percentage of overall data spills, Foley predicts.
“What we’re seeing is companies are going out of business and then they take these papers and just toss them, or leave them for the building’s cleaning crew to deal with,” Foley said. “This is a trend that’s only going to get worse.”
According to the ITRC, 17 percent of data breaches reported last year were solely paper-based.
While the federal bills are largely silent on paper breaches, most existing state laws also focus on electronic records. At least two states — Massachusetts and North Carolina – require notification whether the data breached is in electronic or paper form.
David Sohn, senior policy counsel at the Center for Democracy & Technology, said the fact that more than one quarter of data breaches reported this year were paper-based suggests that businesses are in fact reporting paper breaches.
“Our position has been personal data – once digitized — does raise the stakes in terms of ease-of-use,” by identity thieves, Sohn said. “But certainly it is not the case that [breached] paper records pose no threat. The question is: To what extent do companies suffering a breach today think they have an obligation to report paper breaches?”
Stuart Ingis, a partner with the law firm Venable LLP in Washington, said many clients he deals with strictly speaking do not have a legal obligation to report paper-based breaches, but that most of his clients err on the side of caution.
“Most companies really are looking to whether there is likely to be harm to the consumer,” from a breach, Ingis said. “We really don’t have too many scenarios where legitimate companies are trying to hide the fact that they’ve had a breach.”
The ITRC has chronicled 125 paper breaches so far this year, out of a total of 463. Businesses were responsible for 44 or 9.5 percent of the breaches; government agencies and the military caused 27 breaches, or 5.8 percent; lost, stolen or improperly disposed of medical records accounted for 5 percent; financial institutions caused 17 breaches, or 3.7 percent; and educational institutions were responsible for 14 paper breaches, or 3 percent of this year’s total.
