One of the recurring themes on my blogs is that we need a federal data protection statute that includes protection of paper records. Breaches involving paper records also need to be included in any federal data breach notification statute. Federal statutes are needed because too many states fail to address the security of paper records and fail to mandate disclosure and notification of breaches involving paper or non-electronic data records.
Florida is one of a number of states that neither requires notification of breaches involving paper records nor secure disposal of such records.
In 2010, I reported a number of Florida breaches involving paper records:
- In May, hundreds of files containing personal information of AT&T cell phone customers, including credit card numbers, driver’s licenses and Social Security numbers, were found in residential recycling bin in front of a home in Jacksonville. The records appeared to belong to the defunct Ferrell Communication.
- In October, an employee taking out the trash at a Southside office plaza found boxes of Jackson Hewitt employees’ W-2 forms, copies of their driver’s licenses, Social Security cards and other personal information.
- In November, 1,000 to 2,000 voters’ petitions were dumped, unshredded, in a dumpster in Hillsborough County.
- In December, health insurance applications revealing Social Security Numbers and other personal information were discarded, unshredded in Boca Raton.
Some breaches involved medical or health care information as well as personally identifiable information:
- In January, police turned up medical files containing information that could be used to commit identity theft in a trash bin near University Medical Clinics.
- In July, dozens of boxes filled with personal records including Social Security Numbers turned up in an Orlando dumpster. The files appeared to come from a defunct collection agency, LV Financial Services, that provided collection services for medical offices.
- In July, two people found thousands of file folders with medical records and sensitive personal information such as Social Security Numbers and credit card numbers at the Land O’ Lakes Recycling center.
- In October, an auction at the Gulf Pines Hospital in Port St. Joe has former employees worried because old files were still in the hospital, and people could have walked away with them.
- The December incident involving unshredded health insurance applications included applicants’ medical history information.
In each of these breaches, the entity had no obligation under state law to securely dispose of records and no obligation under state law to notify people about the breaches.
Even as I write this, sensitive health insurance applications remain in the hands of the individual who found them.
Florida – and other states who have as yet failed to enact adequate data protection and breach notification laws – should do so promptly. I do expect that we’ll see some federal statute pass in Congress this year, but most federal proposals still don’t include paper records.
It shouldn’t matter to Congress and state legislators whether a person’s sensitive information is in electronic or paper format (or any other format, for that matter). If you collect sensitive information, you should protect it.
Data Privacy Day is January 28. I would love to see some state legislators introduce bills to remedy this serious gap in protection and breach notification laws.