Our third annual BakerHostetler Data Security Incident Response Report analyzes the more than 450 data security incidents we led clients through in 2016, and includes a number of interesting trends relating to the causes of incidents, how companies are identifying and responding to incidents, and the regulatory and litigation trends after an incident is disclosed. Many of the takeaways from the Report focus on the technology side of preparedness and the protection of electronic data. Since our inaugural Report, however, we have been warning companies not to forget that data security incidents can also result from the compromise of paper records. Given the trend across all industries to go “paperless” and the growing awareness of privacy issues within companies, one would expect a decline in the number of incidents involving paper records. Yet, as described in the Report, 13 percent of the incidents that we handled in 2016 involved paper records, and an additional 4 percent involved both paper and electronic records. This represents a 1 percent increase in paper-related incidents since 2015. Notably, the number of incidents involving paper records for the healthcare-related incidents we handled decreased from 25 percent in 2015 to 17 percent in 2016, which means other industries experienced a significant increase in paper-related incidents.
Although most state security breach notification laws apply only to incidents affecting electronic records or “computerized data,” the security breach notification laws in nine states – Alaska, Hawaii, Indiana, Iowa, Massachusetts, New Mexico, North Carolina, Washington and Wisconsin – also include paper records. Other industry-specific state laws that govern certain types of entities, such as insurance companies and healthcare entities, impose breach notification obligations regardless of whether the personal information at issue was in paper or electronic form. In addition, the federal breach notification requirements applicable to financial institutions subject to the Gramm-Leach-Bliley Act, and covered entities under the Health Insurance Portability and Accountability Act, both contemplate incidents of unauthorized access to paper records as well as electronic records.
In short, consistent with the overarching takeaway from our 2016 Report – that companies need to continue focusing on the basics to become and remain “Compromise Ready” – companies must ensure that their data security program includes safeguards for the protection of paper records, which continue to be a significant data security issue for companies.
The full 2017 BakerHostetler Data Security Incident Response Report can be found here. The Privacy and Data Protection team will host a webinar on the findings on May 9 at noon ET. Kobus also will be participating in a morning panel titled, “Shakedown Street: Cyber Extortion, Data Breach and the Dirty Business of Bitcoin” on April 20 at the Global Privacy Summit in Washington, D.C.