[BreachExchange] The Paper Trail: The Potential Data-Breach Sitting in your Printer

[Audrey McNeil]

http://www.jdsupra.com/legalnews/the-paper-trail-the-potential-data-10776/

In April 2016, the sensitive personal medical information of NFL players
was stolen from the car of a trainer who had left the files in a backpack
in his locked car.  In 2014, Safeway, Inc. settled charges brought by the
State of California stemming from an investigation concerning the improper
disposal of hard copies of customer information.  In 2014, an insurance
company was exposed when maintenance workers who were supposed to move four
boxes of member records between floors, instead threw them out.  In 2011,
sensitive information regarding an NYPD task force was found in a Manhattan
trash can.

What do these stories have in common?   The data breach resulted from the
loss or improper disposal of paper.

These stories are not rare, one-offs.  Despite predictions that computers
would usher in a “paperless future,” it is undeniable that paper remains a
large component of the typical office.  One study by the Journal of the
American Medical Association (JAMA) found that breaches of paperrecords
still account for as many as 31% of security breaches.

The continuing role of paper records in office life is a stark reminder
that data security is not limited only to electronic records.   Paper
matters.

Companies should take steps to ensure that their data security safeguards
address all threats to personal information regardless of the format in
which the information is maintained.  When constructing a data security
plan – including breach prevention and detection measures– organizations
should consider risks to, and appropriate protections for, paper records
containing sensitive information as well as ensure that incident response
plans address steps for handling a breach involving paper records.

While most state breach notification laws are triggered only when incidents
affect electronic records, this trend is changing.  The security breach
notification laws in eight states – Alaska, Hawaii, Indiana, Iowa,
Massachusetts, North Carolina, Washington, and Wisconsin – as well as
certain federal breach notification requirements (i.e. the
Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability
Act) are triggered when incidents affect both paper or electronic records.
On April 13, 2015, the Senate of Washington State unanimously passed
legislation expanding the state’s data breach laws to cover hard-copy data
as well as “computerized” data.  And, even if an organization is not
statutorily required by law to notify consumers of paper breaches, the
improper handling of confidential or sensitive paper information can create
risks to reputation, loss, and liability.  So long as printers and copiers
remain a part of the modern office, the risk remains that sensitive
documents will be exposed.   Thus, companies developing a comprehensive
incident response plan and data security plan must be thoughtful about how
to manage and control paper records.

All organizations – for-profit and nonprofit – should create policies for
how all sensitive documents—electronic and paper – are shared and stored.
For example, having a policy of shredding documents is one of the easiest
ways to reduce inadvertent error in the disposal of confidential
information.  Moreover, adopting a written document retention and disposal
policy for all recordswill help minimize the risk that your organization’s
name will end up on in the news if trash bags burst open in a strong wind.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160615/9efcf2a2/attachment.html>