The Identity Theft Resource Center (ITRC) has released an interim report that reveals that breaches involving paper records appear to be increasing significantly compared to last year while the number of incidents involving electronic records has not showed a similar increase.
According to a press release today, paper breaches currently account for 25% of all breaches recorded in their 2009 database whereas for all of 2008, paper breaches accounted for 17.8%. In 2008, there were 116 paper breaches for the entire year, whereas as of September 30, there have already been 99 incidents recorded.
The business sector accounts for 35 of the 99 paper breaches recorded in their database, with the financial and education sectors recording the fewest paper breaches.
Because not all states require disclosure of, or notification of, paper breaches, it is impossible to estimate how prevalent paper breaches really are or whether what appears to be an increase might simply be an artifact of increased media coverage or public awareness.
Texas is one of a few states that aggressively deals with paper breaches. In August, Attorney General Greg Abbott announced a settlement with with Cornerstone Fitness over improper protection of paper records, and in 2008, he announced settlements with CVS, Radio Shack, CNG Financial Corp. and its subsidiaries, Check ‘n Go of Texas, Inc. and Southwestern & Pacific Specialty Finance, Inc. , GAB Robins, B&F Finance McAllen, L.L.C. , and filed an enforcement action against Nino Tax. Similarly, Indiana Attorney General Attorney Greg Zoeller announced a settlement with CVS and Walgreens chains over the fact that pharmacy records were found in bins behind stores. The FTC had settled its complaint against CVS over failure to secure medical and financial data the prior month.
Paper data breaches may present easier opportunities for identity thieves because the information is “ready to use” and may include signatures. A number of identify theft cases prosecuted within the past year have involved the theft of mail containing personal information that was then used for fraudulent purposes.
According to ITRC, it is critical that both state and federal governments recognize and convey the importance of regulating “best practices” protocols for paper document storage and disposal. ITRC recommends that new breach laws, and amendments to current laws, take into account paper breaches in a manner similar to statutes affecting electronic data breaches.