This article is part of an ongoing IAPP Privacy Advisor series on privacy program metrics and benchmarking for incident response management. Find earlier installments of this series here.

In a world where ransomware and hacking attacks have become increasingly commonplace, it can be easy to assume that your electronic data is most at risk of unauthorized access and disclosure resulting in a data breach. In reality, paper incidents are far more common — and more likely to result in a data breach.

Before we dive into the data, here are a couple important terminology clarifications:

  • Incident category: Typically, data incidents can be categorized as paper, electronic, or verbal/visual.
  • Paper incidents: Examples of a paper incident include a misdirected mailing, lost paper files, or records involving personal data of consumers that were disposed of without being shredded. A paper incident could be as simple as handing a printout of a healthcare visit or discharge to the wrong patient. Paper incidents typically expose fewer records per incident than electronic incidents but are much more commonplace.
  • Incident vs. Breach: An incident, for the purposes of this article, is an unauthorized disclosure of sensitive and regulated personal data. Not every incident involving regulated data is considered notifiable to affected individuals or regulators. A notifiable incident has been determined to constitute a data breach per applicable regulations after an organization’s performance of a multi-factor risk assessment and determination.

Every day there are countless small incidents involving just a few records, and every incident, including paper, must undergo a compliant multi-factor risk assessment to establish your burden of proof, particularly when deciding not to notify because you were able to properly mitigate the risk as permitted by law.

Diving into the metadata: Incident categories by industry

For this article, we examined types of incidents experienced in 2016 and 2017 in three highly regulated industries: financial services, healthcare and insurance. We found that, for incidents overall, paper incidents are far and away the most prevalent.

March 2018 RADAR Benchmarking Article-01

When it comes to data breaches, paper again accounts for a large portion of data breaches across most industries.

March 2018 RADAR Benchmarking Article-02

The final metric we examined with this industry data was the rate at which incidents are considered notifiable (data breach), by category. Here, we found quite a bit of variation across industries, including a surprising breach rate for verbal and visual incidents in the health care sector.

March 2018 RADAR Benchmarking Article-03

Overall, this data indicates that paper incidents are more common, and more dangerous, than you might think. A couple interesting details to note:

  • The financial services industry experiences notably more paper incidents than electronic, but those incidents are more likely to result in a data breach. As the breakdown of breaches by category shows, paper and electronic incidents are considered to be a data breach at near-equal rates, though the breach rate in financial services is notably lower across the board when compared to other industries.
  • The health care industry data shows that 28 percent of all paper incidents are considered a data breach. Interestingly, this figure aligns with the Verizon 2018 Protected Health Information Data Breach Report, which examined over 1,300 incidents in 27 countries to find that 27 percent of incidents in the healthcare sector were related to personal health information printed on paper.

Paper incidents: Increasingly regulated and penalized

Given the prevalence of paper incidents in these regulated industries, it is perplexing that often only electronic incidents are given the spotlight when it comes to privacy program best practices. There may be a few factors at play here:

  • Paper incidents are less visible within an organization: While electronic unauthorized disclosures can be flagged, logged and reported internally by security controls and systems, paper disclosures are manual, easier to lose track of, and more difficult to track down.
  • Electronic incidents are more common in media coverage: That’s because they typically compromise a greater number of records, and are more often the result of a malicious attack — hacking, ransomware, and phishing scams are all threats to electronic data. This disproportionate coverage of electronic incidents doesn’t mean that the media and regulators aren’t paying attention to paper data breaches, however. This year has already seen its fair share of breach notifications and enforcement settlements for paper incidents. In early March, New York Attorney General Eric Schneiderman reached a $575k settlement with a local healthcare provider for the 2016 data breach in which a mailing label included policyholder Social Security numbers.
  • Historically, state data breach notification regulations did not always include the regulation of “non-electronic” data: Paper incidents are explicitly regulated under HIPAA for healthcare entities and the GLBA for the financial industry, but only 10 US states currently regulate both unauthorized paper and electronic disclosures. It’s important to note that the EU General Data Protection Regulation (GDPR) will include the regulation of non-electronic data, as well as an expanded scope of what is considered personal data. And while only 10 states currently specify the regulation of paper incidents, state data breach regulations are changing rapidly, and a number of proposed regulations include amendments which would regulate paper incidents.

Best practices in managing all types of incidents

When it comes to ensuring customer trust and privacy, passing audits and preserving documentation, looking good on paper means doing right by paper incidents, and that means identifying paper incidents when they occur, consistently performing a multi-factor risk assessment on every incident, no matter how small, and documenting every step of your investigation, risk mitigation and corrective actions related to the incident in support of your decision whether to notify or not.

Continue reading this IAPP Privacy Advisor Article to learn specific considerations that are critical to managing paper incidents.


Previous articles in this series: