Network News

X My Profile
View More Activity

Paper-based data breaches on the rise

More than one quarter of data breaches so far this year involved consumer records that were jeopardized when organizations lost control over sensitive paper documents. Experts say those incidents came to light in large part due to a proliferation of state data breach notification laws, yet current federal proposals to preempt those state measures would allow paper-based breaches to go unreported.

According to the Identity Theft Resource Center, a San Diego based nonprofit, at least 27 percent of the data breaches disclosed publicly in 2009 stemmed from collections of sensitive consumer information printed on paper that were lost, stolen, inadvertently distributed or improperly disposed of.


Some 45 states and the District of Columbia have enacted laws requiring companies that lose control over sensitive consumer data such as Social Security or bank account numbers to alert affected consumers, and in some cases state authorities. Concerned about the mounting costs of complying with so many different state breach regulations, businesses often find it easier and cheaper to adhere to the strictest state laws.

Congress, though, is considering several federal data breach notification measures that would preempt existing state regulations.The three leading federal proposals, including a bill passed this week by the House of Representatives -- and a pair of measures passed by the Senate Judiciary Committee last month, would require notification only when data stored electronically is lost or stolen.

"Computers were supposed to take us to a paperless society, yet computers probably create more paper than before we had them, because now we want a hard copy as well as what's on the computer," ITRC co-founder Linda Foley said. "It's a double danger of course, because paper - especially when it's just tossed in a dumpster somewhere - is not like data on a hard drive. It's ready to use, it often contains the consumer's handwriting and signatures, which can be very useful when you're talking about forging credit card and mortgage applications."

Still, it is frequently difficult to determine precisely how many consumer records are jeopardized in paper-based breaches. Indeed, often the closest measure of the size of paper-based data breach is the number of pounds of documents involved, Foley said.

"There was a case earlier this month in Missouri where 2,000 pounds of credit reports, blank checks and copies of Social Security statements were found in a dumpster," Foley said. "Unfortunately, you pay by the pound for shredding these documents, and that's the best measure we have sometimes."

That incident, reportedly involving the former Battlefield, Mo. -based Nationwide Credit Counseling, exposes a frequent source of paper breaches: Companies that go belly-up. And with the ongoing recession claiming more and more companies each day, paper-based breaches are only going to grow as a percentage of overall data spills, Foley predicts.

"What we're seeing is companies are going out of business and then they take these papers and just toss them, or leave them for the building's cleaning crew to deal with," Foley said. "This is a trend that's only going to get worse."

According to the ITRC, 17 percent of data breaches reported last year were solely paper-based.

While the federal bills are largely silent on paper breaches, most existing state laws also focus on electronic records. At least two states -- Massachusetts and North Carolina - require notification whether the data breached is in electronic or paper form.

David Sohn, senior policy counsel at the Center for Democracy & Technology, said the fact that more than one quarter of data breaches reported this year were paper-based suggests that businesses are in fact reporting paper breaches.

"Our position has been personal data - once digitized -- does raise the stakes in terms of ease-of-use," by identity thieves, Sohn said. "But certainly it is not the case that [breached] paper records pose no threat. The question is: To what extent do companies suffering a breach today think they have an obligation to report paper breaches?"

Stuart Ingis, a partner with the law firm Venable LLP in Washington, said many clients he deals with strictly speaking do not have a legal obligation to report paper-based breaches, but that most of his clients err on the side of caution.

"Most companies really are looking to whether there is likely to be harm to the consumer," from a breach, Ingis said. "We really don't have too many scenarios where legitimate companies are trying to hide the fact that they've had a breach."

The ITRC has chronicled 125 paper breaches so far this year, out of a total of 463. Businesses were responsible for 44 or 9.5 percent of the breaches; government agencies and the military caused 27 breaches, or 5.8 percent; lost, stolen or improperly disposed of medical records accounted for 5 percent; financial institutions caused 17 breaches, or 3.7 percent; and educational institutions were responsible for 14 paper breaches, or 3 percent of this year's total.

By Brian Krebs  |  December 10, 2009; 6:15 PM ET
Categories:  Latest Warnings , Safety Tips , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Critical updates for Adobe Flash, Microsoft Windows
Next: Check your Facebook 'privacy' settings now


This article highlights one of the problems with substituting federal regulation for individual states' regulation. Usually the federal regulations are much less stringent, and there are far fewer people charged with oversight and enforcement. We saw this with banks that, when states tried to regulate their credit practices, turned to federal oversight - and we know where that has taken us. Once upon a time states had enforceable usury laws, until credit card companies (or the banks issuing credit cards) became solely federally regulated. Try suing a bank for usurious interest rates now.

All in all, I prefer a system where the states have regulatory authority and oversight and, as noted above, the businesses involved find it simplest to adhere to the strictest state's regulations.

Posted by: vklip1 | December 10, 2009 9:54 PM | Report abuse

If you are a business, with paper originals, shame on you. You cannot have a "privacy policy" until you have defined "data capture".

This document is a bit dated:

, but the NSA had the right idea.

Ideally, one would like to have one original document source, with redactive behavior built in, so that when the original is propagated (printed, etc.), sensitive information is redacted from the copy. For ODF (OpenOffice) this works, for MS WORD, not so much. For Spreadsheets (csv) and Data Bases this can always be made to work. Address Books, Application User Data and Web Forms are a special case, because they involve transport and round trips between formats. Nonetheless, it works.

The often ignored other consideration, which the NSA did not take up is "re-identification". There is a big difference between redaction and simple deletion in this regard. Redacted fields should have the same value regardless of whether or not they had a value in the source.

If you have a (linux) computer for banking, you might consider keeping originals on this, so that any copies that go out to Windows machines are properly redacted.

Posted by: gannon_dick | December 10, 2009 10:22 PM | Report abuse

"All in all, I prefer a system where the states have regulatory authority and oversight and, as noted above, the businesses involved find it simplest to adhere to the strictest state's regulations. "

This makes zero sense. How on earth would you know who to do business with? You assume way to much (of course every business I deal with adheres to Iowa laws) and as the old saying goes...

Uniform regulations make much more sense. Easier for business and easier for consumers to understand.

Posted by: streff | December 11, 2009 3:07 AM | Report abuse

@streff Agree. I wonder how long the NFL would last if each state were allowed to set their own rules for the game. Or, as many legislators seem to advocate, any government regulation at all is too 'socialistic'. Just let the teams set their own rules.

Posted by: TheGeezer | December 11, 2009 6:11 AM | Report abuse

Interesting that the cost of shredding would lead to having thousand of pounds of financial data left in a dumpster. Maybe borrowing an idea from our northern neighbor could avoid this. In major cities in Quebec, you can take your documents, boxes of them, to the local police to be shredded. They will shred them for free. In addition, twice a year, the police visit malls where people can bring their documents to be shredded using an industrial shredder. Again, this is free.

Posted by: TheGeezer | December 11, 2009 12:32 PM | Report abuse

Doesn't much matter when the government helps the potential theives.

If you have obtained a mortgage or bought a house in Montgomery County, MD, I can online right now and download/print/save a PDF copy of your documents - complete with signatures. All on a public and free site.

Posted by: r6345 | December 11, 2009 12:33 PM | Report abuse

@TheGeezer: Interesting concept of having police shred documents. I am going to bring it up at our next town meeting.

Posted by: fchaffin | December 11, 2009 4:31 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company