United States: 2015 BakerHostetler Incident Response Report Shows One In Five Breaches Involved Paper Records
Last Updated: June 3 2015

BakerHostetler's inaugural Data Security Incident Response Report offers a wealth of information regarding the causes of data security breaches, the manner in which those incidents are handled, and the legal and regulatory aftermath for affected companies. Among the Report's interesting takeaways is a rebuttal of the popular assumption that data security incidents are all about electronic information: in approximately 20% of the incidents we handled in 2014, paper records were the vector of compromise.

Although most state security breach notification laws focus on incidents affecting electronic records, a number of states across the country impose notification requirements when a breach concerns hard-copy records that contain personal information. State breach notification laws that are triggered by incidents involving paper records include those of Alaska, Hawaii, Indiana, Massachusetts, North Carolina, and Wisconsin—and South Carolina's law arguably may apply to both paper and electronic data. Most recently, in April 2015, Washington State enacted several amendments to its breach notification law, one of which expands the law's coverage to encompass other media by removing the explicit reference to "computerized" data in its definition of "breach of the security of the system." Other industry-specific state laws that govern certain types of entities, such as health facilities or insurers, impose breach notification obligations regardless of whether the personal information at issue was in paper or electronic form.

In addition, the federal breach notification requirements applicable to (1) financial institutions subject to the Gramm-Leach-Bliley Act, and (2) covered entities under the Health Insurance Portability and Accountability Act, both contemplate incidents of unauthorized access to hard-copy as well as electronic records.

Although cyberattacks and malicious software have hogged the media spotlight over the past few years, it was old-fashioned dumpster diving that led to several of the earliest security breach enforcement actions against companies that improperly disposed of hard-copy personal information. In some cases, violations of this nature are uncovered by reporters or citizens who come across the paper records in the wild, but failures to protect hard-copy documents containing sensitive data also may be exposed in more unorthodox ways. For example, late last year, Safeway, Inc., settled charges brought by the State of California stemming from an investigation into unlawful handling of hazardous waste that also concerned the improper disposal of customer medical information.

In short, companies should bear in mind that data security safeguards need to address all types of threats to personal information, regardless of the format in which the information is maintained. The protection of computer systems and other electronic data repositories is vitally important, but breach prevention and detection efforts also must take into account the risks to hard-copy records.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Press Releases from this Firm
Recent Content from this Firm
By L. Poe Leggette, Shanisha Y Smith, Alexander Obrecht, Emily Thomas
By William DeVinney
By Cody S. Wigington
By Patrick Campbell, Emily Fedeles, Shawn Hough, David McMillan, Marco Molina, Jonathan New, Frank M. Oliva, Panida Pollawit, Victoria L Stork, Elias Trahanas
By Tracy Cole, Anat Maytal, Lee Simowitz
By Michael Ferguson, Christian Jones, Adam Higgins, Tyler Thompson
By Alan Friel, Melinda McLellan
By Aaron R. Lancaster
By Alan Friel, Kyle R. Fath
By Carey Busen
Font Size: