1 (888) 400-5530
Toll-Free, No-Cost
Victim Assistance

Identity Theft Consumer Guide

Identity Theft Resource Center BBB Business Review

 

Data Breach Notification Roulette

Posted in: itr@c News
By
Sep 15, 2010 - 1:08:32 PM


Printer friendly page

Data Breach Notification Roulette
 By Dissent of databreaches.net  

Breaches involving sensitive information in paper format pose a risk of ID theft.
So why don’t we have the right to notified?

Every week I post breach reports that involve paper records on my web sites at DataBreaches.net and PHIprivacy.net.  Some of the reports involve the loss of paper records, some involve theft by insiders who misuse the information for fraudulent purposes, some involve criminals who steal  mail to obtain account information, some involve mailing errors or misdirected faxes,  and some involve businesses or entities that just throw all our sensitive information out with the trash, unshredded, without regard for whether we could become a victim of fraud or be highly embarrassed should anyone see our sensitive information.

Although not as “sexy” as breaches involving massive databases in electronic format, when all is said and done, do you really care whether your sensitive personal, medical, and financial information is “in the wild” in paper or electronic format?  Wouldn’t you want to be notified of a breach even if the records were in paper format?

Consider the following potpourri of breaches that have been reported on my sites.  As you read each summary, ask yourself whether you would want to be notified if it was your records that had been involved.  Then -- and here comes the tricky part -- ask yourself if there is any state law or federal law that you know of that would require the entity to notify you of the breach.  I’ll try to provide the correct answers after the exercise:

  1. Paperwork containing personal and financial information was found littering the streets of Buffalo, New York.  The customer records were from Rent-a-Center.  Do they have to notify you?
  2. In Arizona, thousands of pages of sensitive information reportedly disposed of by The Vine Tavern and Eatery contained people’s names, Social Security numbers and dates of birth from restaurant applications, as well as checks with banking information and also credit card receipts with full card numbers from Vine customers. The receipts revealed a person’s entire credit card number.
  3. Over 40,000 intact patient records containing personal and medical information were found in a pile described as 20’ long by 20’ wide at Georgetown Transfer Station in Massachusetts. The records, from four hospitals, had reportedly been dumped there by the medical billing service they had used.
  4. An unknown number of canceled checks bearing Social Security and bank account numbers of Rockland, Massachusetts town employees are missing after wind knocked them from a loaded recycling truck.
  5. Approximately 30,000 estimated tax payments with checks wound up in the San Francisco Bay after the truck transporting them to the Internal Revenue Service  was involved in an accident and wind blew the mail into the bay.
  6. Boxes with 1,590 patient records from a Charlotte, North Carolina’s psychologist’s practice were left at a county recycling facility because the psychologist’s sons mistakenly took the wrong boxes to be recycled. The records contained patient names, contact information, Social Security numbers, credit card numbers and medical histories.
  7. In Illinois, hundreds of sensitive documents that were provided to the law firm of Robert J. Semrad & Associates, also known as DebtStoppers USA, ended up in a trash bin in an area the firm shares with other businesses. The “Client Information Sheets” contained Social Security numbers, full names and addresses, driver’s license numbers and signed debit card authorizations.
  8. 75 legal files were found in a dumpster off Interstate 10 near Boerne, Texas. The files, which included peoples’  names, addresses, bank accounts, social security numbers, driver license numbers, and birth dates, belonged to attorney David Naworski, who readily acknowledged throwing them away unshredded and said he was unaware of any state law on disposal.
  9. Three small file boxes full of decade-old personal records belonging to customers of the First Federal Savings Bank were found near a residential street in Bryan, Texas. The bank had apparently closed its doors under that name around 2002 and has been acquired by several banks since then. The current owner says that they never assumed ownership of those bank records.
  10. Credit-card numbers from 17,000 guests at the Emily Morgan Hotel in San Antonio were stolen and used in a three-state shopping spree. Officials say the suspects used stacks of stolen credit-card receipts from a storage room at the hotel in 2006.
  11. The University of Florida discovered that 2,047 people that their Social Security or Medicaid identification numbers included on address labels affixed to letters inviting them to participate in a research study. The letters were sent through the U.S. Postal Service on May 24, and the information also was shared with a telephone survey company.
  12. In Maryland, Montgomery County’s Department of Health and Human Services is looking into how numerous Wheaton nursing home papers containing sensitive patient information have made their way into nearby neighbors’ yards over the past few months. The exposed internal documents contained patient conditions, names and Social Security numbers.

Answers to the “Do They Have to Notify You?” Exercise:

  1. No.  Even though financial information about you was exposed, it was exposed by a business, not a regulated financial institution. New York State law does not require businesses to notify consumers of breaches involving paper records.
  2. No.  Not only does Arizona law not require notification of breaches involving paper records, but there is no law preventing such dumping of records.  Arizona’s protections are significantly less than many other states’ because AZ also does not require breach notification for computerized data unless the breach is “reasonably likely to cause substantial economic loss.”  For a state that claims to be worried about ID theft due to immigration concerns, their lack of state laws to secure data and notify individuals of breaches is surprising.
  3. Yes.  The federal medical privacy law known as HIPAA, as amended by ARRA, requires all covered entities to notify affected individuals even if the records are in paper format.  But: covered entities do not have to notify individuals unless there is a “significant risk of harm” to the individual.  The U.S. Dept. of Health & Human Services has recently withdrawn this breach notification rule and it is undergoing further consideration.  Even if this breach did not have to be reported under HIPAA, however, it would likely have to be reported under Massachusetts state law, which does cover paper records.
  4. Yes, the town would likely be obligated to report the breach under Massachusetts law.
  5. Yes, the IRS would likely be obligated to notify, but since the mail had not yet been opened, they had no idea whom to notify.
  6. Yes, under both HIPAA and North Carolina law.  North Carolina is one of only a few states that include paper records in their breach notification law.
  7. Probably not.  Illinois law does not cover paper breaches and it is not clear to me whether bankruptcy lawyers would be covered under the Federal Trade Commission (FTC) Safeguards Rule.  This is a useful example of how consumers do not have a simple and clear understanding of whether they will be notified or not.  Do we need to become lawyers to figure out which laws apply and how?
  8. No.  Although Texas requires businesses to dispose of records securely and the state attorney general can bring charges against or sue a business for improper disposal. here is no requirement that the entity notify individuals of a breach involving paper records.
  9. I would say “yes” because it was a financial institution and the records contained sensitive information, but since the bank no longer exists, who is going to notify you?
  10. No. Although the hotel did notify affected customers (once they realized there had been a breach and were able to figure out who to notify), Texas law does not mandate breach notification if the breach involved paper records. Credit card receipts are paper records.
  11. No.  Although the University notified affected individuals, Florida law does not require notification if the breach involves paper records.  Nor does FERPA, the federal educational rights privacy law that applies to public universities and schools, require notification of breaches.
  12. No.  I bet you thought I was going to say “Yes, under HIPAA,” but nursing homes are not covered by HIPAA and Maryland does not require breach notifications if the breach involves paper records. 

So how did you do on the quiz?  If you got  a headache, you got my point:  the existing hodgepodge of state and federal laws leave too many consumers unprotected.  It should not matter what type of entity had a breach or where you live -- your sensitive information is your sensitive information and your right to be notified should not be a matter of figuring out which out of numerous federal and state regulations might apply or might get the entity off the hook.

Worryingly, none of the current data breach notification laws proposed in Congress would require notification if a breach involved paper records.

Tell Congress that we need a nationally unifying data breach notification that includes breaches involving paper records.  And you can tell them I sent you!

 
Contact Us | Privacy Policy | Legal Notice | Site Map  
Copyright © Identity Theft Resource Center. All rights reserved.
Web design by Savvy Sites.