Date: October 1, 2009
For: Immediate Release
Dumpsters: Easy Cash for Identity Thieves
Paper breaches year-to-date 2009 jumped to more than 25% of the total reported breaches tracked by the Identity Theft Resource Center (ITRC). This compares to 17.7% reported for the year 2008. As of September 30th, 99 paper breaches have been documented on the ITRC breach list compared to the total of 116 for the entire 2008 year. The business community accounted for 35 of the 99 total public paper breaches reported. Banking/Financial and Educational entities had the fewest paper breaches to date.
ITRC defines a paper breach as data breach event that occurs when paper documents, with personal identifying information (PII), are no longer under the control of the acquiring entity. Instances of this type of breach include:
- boxes of files with financial, tax, and/or social security information left in dumpsters, unlocked storage units, or abandoned buildings
- unshredded PII documents left in an unsecured, public location
- PII inadvertently mailed to the wrong person, or displayed on envelope
Most state breach laws only regulate electronic data breaches. Few states address the problem of paper data breaches. However, the reality is paper data breaches oftentimes present easier opportunities for the identity thief because the information is “ready to use” and may include signatures. Electronic data breaches may require specialized equipment or software to “read” the information. Because of the nature of paper breaches, it is critical that both state and federal governments recognize and convey the importance of regulating “best practices” protocols for paper document storage and disposal. ITRC recommends that new breach laws, and amendments to current laws, take into account paper breaches in a manner similar to statutes affecting electronic data breaches.
Most paper data breaches are reported to the media or law enforcement by concerned citizens. If not for this, most of these breaches would have gone unnoticed and individuals whose data was exposed would not have known to take proactive steps to protect their information.