BakerHostetler’s inaugural Data Security Incident Response Report offers a wealth of information regarding the causes of data security breaches, the manner in which those incidents are handled, and the legal and regulatory aftermath for affected companies. Among the Report’s interesting takeaways is a rebuttal of the popular assumption that data security incidents are all about electronic information: in approximately 20% of the incidents we handled in 2014, paper records were the vector of compromise.
Although most state security breach notification laws focus on incidents affecting electronic records, a number of states across the country impose notification requirements when a breach concerns hard-copy records that contain personal information. State breach notification laws that are triggered by incidents involving paper records include those of Alaska, Hawaii, Indiana, Massachusetts, North Carolina, and Wisconsin—and South Carolina’s law arguably may apply to both paper and electronic data. Most recently, in April 2015, Washington State enacted several amendments to its breach notification law, one of which expands the law’s coverage to encompass other media by removing the explicit reference to “computerized” data in its definition of “breach of the security of the system.” Other industry-specific state laws that govern certain types of entities, such as health facilities or insurers, impose breach notification obligations regardless of whether the personal information at issue was in paper or electronic form.
In addition, the federal breach notification requirements applicable to (1) financial institutions subject to the Gramm-Leach-Bliley Act, and (2) covered entities under the Health Insurance Portability and Accountability Act, both contemplate incidents of unauthorized access to hard-copy as well as electronic records.
Although cyberattacks and malicious software have hogged the media spotlight over the past few years, it was old-fashioned dumpster diving that led to several of the earliest security breach enforcement actions against companies that improperly disposed of hard-copy personal information. In some cases, violations of this nature are uncovered by reporters or citizens who come across the paper records in the wild, but failures to protect hard-copy documents containing sensitive data also may be exposed in more unorthodox ways. For example, late last year, Safeway, Inc., settled charges brought by the State of California stemming from an investigation into unlawful handling of hazardous waste that also concerned the improper disposal of customer medical information.
In short, companies should bear in mind that data security safeguards need to address all types of threats to personal information, regardless of the format in which the information is maintained. The protection of computer systems and other electronic data repositories is vitally important, but breach prevention and detection efforts also must take into account the risks to hard-copy records.