BakerHostetler’s 2016 Data Security Incident Response Report reveals a number of interesting incident response trends: the range of incident causes is broad, all industries are affected, detection capabilities need to improve, it is difficult to provide meaningful notification quickly, and regulatory investigations are more common than lawsuits after notification occurs. One of the report’s interesting tidbits is that 13 percent of the more than 300 incidents that we handled in 2015 involved paper records. An additional 2 percent of the incidents involved both paper and electronic records. And 25 percent of the healthcare incidents we handled in 2015 involved paper records. This rebuts the common assumption that data security incidents are all about electronic data.
Most state breach notification laws are triggered when incidents affect electronic records only. However, the security breach notification laws in eight states – Alaska, Hawaii, Indiana, Iowa, Massachusetts, North Carolina, Washington, and Wisconsin – are triggered when incidents affect paper and/or electronic records. Also, other industry-specific state laws that govern certain entities, such as healthcare facilities and insurers, impose breach notification obligations regardless of whether the information at issue is in paper or electronic form. More information on the notification obligations of insurers can be found here.
In addition to the state breach notification laws, the federal breach notification obligations applicable to financial institutions subject to the Gramm-Leach-Bliley Act and covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA) cover incidents of unauthorized access to paper and/or electronic records. The U.S. Department of Health and Human Services Office of Civil Rights has been active in enforcing HIPAA violations involving paper records. In 2015, the OCR fined a pharmacy $125,000 for failing to properly dispose of paper records containing patients’ protected health information.
The bottom line is that companies need to ensure that their data security safeguards address all threats to personal information regardless of the format in which the information is maintained. The protection of computer systems is of utmost importance, but breach prevention and detection must consider the risks to paper records. A company’s data protection program, including education and awareness efforts, should not overlook paper records. And incident response plans should contemplate incidents involving paper records.