Paper breaches year-to-date jumped to more than 25 percent of the total reported breaches tracked by the Identity Theft Resource Center (ITRC). This compares to 17.7 percent reported in 2008. As of Sept. 30, 99 paper breaches have been documented on the ITRC breach list, compared to 116 for all of 2008. The Banking/Financial and Educational entities had the fewest paper breaches to date, followed by Business, Educational, Government/Military and Medical/Healthcare.
ITRC defines a paper breach as data breach event that occurs when paper documents, with personal identifying information (PII), are no longer under the control of the acquiring entity. Instances of this type of breach include: boxes of files with financial, tax, and/or social security information left in dumpsters, unlocked storage units, or abandoned buildings unshredded PII documents left in an unsecured, public location PII inadvertently mailed to the wrong person, or displayed on an envelope.
According to ITRC, most state breach laws only regulate electronic data breaches and few address the problem of paper data breaches. However, says ITRC, paper data breaches often present easier opportunities for the identity thief because the information is “ready to use” and may include signatures.
ITRC recommends that new breach laws, and amendments to current laws, take into account paper breaches in a manner similar to statutes affecting electronic data breaches.