In April 2016, the sensitive personal medical information of NFL players was stolen from the car of a trainer who had left the files in a backpack in his locked car. In 2014, Safeway, Inc. settled charges brought by the State of California stemming from an investigation concerning the improper disposal of hard copies of customer information. In 2014, an insurance company was exposed when maintenance workers who were supposed to move four boxes of member records between floors, instead threw them out. In 2011, sensitive information regarding an NYPD task force was found in a Manhattan trash can.
What do these stories have in common? The data breach resulted from the loss or improper disposal of paper.
These stories are not rare, one-offs. Despite predictions that computers would usher in a “paperless future,” it is undeniable that paper remains a large component of the typical office. One study by the Journal of the American Medical Association (JAMA) found that breaches of paper records still account for as many as 31% of security breaches.
The continuing role of paper records in office life is a stark reminder that data security is not limited only to electronic records. Paper matters.
Companies should take steps to ensure that their data security safeguards address all threats to personal information regardless of the format in which the information is maintained. When constructing a data security plan – including breach prevention and detection measures– organizations should consider risks to, and appropriate protections for, paper records containing sensitive information as well as ensure that incident response plans address steps for handling a breach involving paper records.
While most state breach notification laws are triggered only when incidents affect electronic records, this trend is changing. The security breach notification laws in eight states – Alaska, Hawaii, Indiana, Iowa, Massachusetts, North Carolina, Washington, and Wisconsin – as well as certain federal breach notification requirements (i.e. the Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act) are triggered when incidents affect both paper or electronic records. On April 13, 2015, the Senate of Washington State unanimously passed legislation expanding the state’s data breach laws to cover hard-copy data as well as “computerized” data. And, even if an organization is not statutorily required by law to notify consumers of paper breaches, the improper handling of confidential or sensitive paper information can create risks to reputation, loss, and liability. So long as printers and copiers remain a part of the modern office, the risk remains that sensitive documents will be exposed. Thus, companies developing a comprehensive incident response plan and data security plan must be thoughtful about how to manage and control paper records.
All organizations – for-profit and nonprofit – should create policies for how all sensitive documents—electronic and paper – are shared and stored. For example, having a policy of shredding documents is one of the easiest ways to reduce inadvertent error in the disposal of confidential information. Moreover, adopting a written document retention and disposal policy for all records will help minimize the risk that your organization’s name will end up on in the news if trash bags burst open in a strong wind.