The Indiana Law Blog: Law - "Paper-based data breaches on the rise"

« Ind. Decisions - Two cases granted transfer Dec. 10th | Main | Ind. Gov't. - "Fort Wayne cuts loose 1 of 2 gambling lobby firms" »

Friday, December 11, 2009

Law - "Paper-based data breaches on the rise"

Recall earlier ILB entries such as "Boxes of medical files found abandoned in South Bend" from Nov. 14, 2009, and "Loan paperwork discovered in Mishawaka shopping center trash" from June 21, 2009? The latter story included the following quotes from the South Bend Tribune:

To leave unshredded documents such as that in a trash receptacle is against the law, said Bryan Corbin, public information officer for the attorney general.

"A person who disposes of the unencrypted, unredacted personal information of a customer without shredding, incinerating, mutilating, erasing or otherwise rendering the information illegible or unusable commits a Class C infraction," he said, quoting from a 2006 statute from House Bill 1101.

If more than 100 customer files are left or the person is a repeat offender, it becomes a class A infraction, he added.

That was the 2006 identity law, and a person and/or company would receive a ticket for disposing of such records in that fashion. That would be prosecuted by the county prosecutor.

It also required companies that have a security breach to notify their affected customers by e-mail or mail, phone or fax without unreasonable delay, Corbin said. If more than 500,000 are affected, the database owner may elect to make disclosure on its Web site or report to the media.

The punishment would be a ticket for a fine for up to $500 for a Class C infraction or $10,000 for a Class A infraction or possibly a civil action resulting in a fine of up to $150,000.

A newer version of the law takes effect July 1, and it expands upon and amplifies the old law, Corbin said. "It closes loopholes and fills in missing pieces," he said. [ILB - that would be HB 1121 from 2009]

"It enhances personal information security," Corbin said. "The business will be required to implement and maintain reasonable security procedures for documents, records and electronic devices with customers' personal information."

Corbin admits that persuading local police to go after such criminals can be a question of resources and understanding the law. * * *

The attorney general's office now has a team that investigates incidents like the files being left in the receptacle in Mishawaka.

The Identity Theft Unit of the Indiana attorney general's office was created in January 2008. * * *

Corbin urges people who have been wronged in such fashion to contact the attorney general's office.

"They could sue, but they would probably be better off to contact the attorney general's office," Corbin said. "It can file suit on behalf of all the consumers affected. As the attorney general's office, we are the advocate of consumers.

"It is a much more powerful and effective way than hiring your own lawyer and pursuing it on your own vs. the state pursuing it on behalf of all the consumers and using greater resources," Corbin said.

Yesterday Brian Krebs of the Washington Post computer security column, "Security Fix," has this long article on "paper-based data breaches." According to the story, laws like Indiana's may be endangered by less-comprehensive new federal proposals. Some quotes:

More than one quarter of data breaches so far this year involved consumer records that were jeopardized when organizations lost control over sensitive paper documents. Experts say those incidents came to light in large part due to a proliferation of state data breach notification laws, yet current federal proposals to preempt those state measures would allow paper-based breaches to go unreported.

According to the Identity Theft Resource Center, a San Diego based nonprofit, at least 27 percent of the data breaches disclosed publicly in 2009 stemmed from collections of sensitive consumer information printed on paper that were lost, stolen or improperly disposed of.

Some 45 states and the District of Columbia have enacted laws requiring companies that lose control over sensitive consumer data such as Social Security or bank account numbers to alert affected consumers, and in some cases state authorities. Concerned about the mounting costs of complying with so many different state breach regulations, businesses often find it easier and cheaper to adhere to the strictest state laws.

Congress, though, is considering several federal data breach notification measures that would preempt existing state regulations.The three leading federal proposals, including a bill passed this week by the House of Representatives -- and a pair of measures passed by the Senate Judiciary Committee last month, would require notification only when data stored electronically is lost or stolen.

"Computers were supposed to take us to a paperless society, yet computers probably create more paper than before we had them, because now we want a hard copy as well as what's on the computer," ITRC co-founder Linda Foley said. "It's a double danger of course, because paper - especially when it's just tossed in a dumpster somewhere - is not like data on a hard drive. It's ready to use, it often contains the consumer's handwriting and signatures, which can be very useful when you're talking about forging credit card and mortgage applications."

Posted by Marcia Oddi on December 11, 2009 07:45 AM
Posted to General Law Related | Indiana Law