This article is part of an ongoing series on privacy program metrics and benchmarking for incident response management, brought to you by RADAR, Inc., a provider of purpose-built decision support software designed to guide users through a consistent, defensible process for incident management and risk assessment. Find earlier installments of this series here.
In a world where ransomware and hacking attacks have become increasingly commonplace, it can be easy to assume that your electronic data is most at risk of unauthorized access and disclosure resulting in a data breach. In reality, paper incidents are far more common — and more likely to result in a data breach.
Before we dive into the data, here are a couple important terminology clarifications:
- Incident category: Typically, data incidents can be categorized as paper, electronic, or verbal/visual.
- Paper incidents: Examples of a paper incident include a misdirected mailing, lost paper files, or records involving personal data of consumers that were disposed of without being shredded. A paper incident could be as simple as handing a printout of a health care visit or discharge to the wrong patient. Paper incidents typically expose fewer records per incident than electronic incidents but are much more commonplace.
- Incident vs. breach: An incident, for the purposes of this article, is an unauthorized disclosure of sensitive and regulated personal data. Not every incident involving regulated data is considered notifiable to affected individuals or regulators. A notifiable incident has been determined to constitute a data breach per applicable regulations after an organization’s performance of a multifactor risk assessment and determination.
Every day, there are countless small incidents involving just a few records, and every incident, including paper, must undergo a compliant multifactor risk assessment to establish your burden of proof, particularly when deciding not to notify because you were able to properly mitigate the risk as permitted by law.
Diving into the metadata: Incident categories by industry
For this article, we examined types of incidents experienced in 2016 and 2017 in three highly regulated industries: financial services, health care and insurance. We found that, for incidents overall, paper incidents are far and away the most prevalent.
When it comes to data breaches, paper again accounts for a large portion of data breaches across most industries.
The final metric we examined with this industry data was the rate at which incidents are considered notifiable (data breach), by category. Here, we found quite a bit of variation across industries, including a surprising breach rate for verbal and visual incidents in the health care sector.
Overall, this data indicates that paper incidents are more common — and more dangerous — than you might think. A couple interesting details to note:
- The financial services industry experiences notably more paper incidents than electronic, but those incidents are more likely to result in a data breach. As the breakdown of breaches by category shows, paper and electronic incidents are considered to be a data breach at near-equal rates, though the breach rate in financial services is notably lower across the board when compared to other industries.
- The health care industry data shows that 28 percent of all paper incidents is considered a data breach. Interestingly, this figure aligns with the Verizon 2018 Protected Health Information Data Breach Report, which examined more than 1,300 incidents in 27 countries to find that 27 percent of incidents in the health care sector were related to personal health information printed on paper.
Paper incidents: Increasingly regulated and penalized
Given the prevalence of paper incidents in these regulated industries, it is perplexing that often only electronic incidents are given the spotlight when it comes to privacy program best practices. There may be a few factors at play here:
- Paper incidents are less visible within an organization: While electronic unauthorized disclosures can be flagged, logged and reported internally by security controls and systems, paper disclosures are manual, easier to lose track of, and more difficult to track down.
- Electronic incidents are more common in media coverage: That’s because they typically compromise a greater number of records and are more often the result of a malicious attack — hacking, ransomware and phishing scams are all threats to electronic data. This disproportionate coverage of electronic incidents doesn’t mean that the media and regulators aren’t paying attention to paper data breaches, however. This year has already seen its fair share of breach notifications and enforcement settlements for paper incidents. In early March, New York Attorney General Eric Schneiderman reached a $575K settlement with a local health care provider for the 2016 data breach in which a mailing label included policyholder Social Security numbers.
- Historically, state data breach notification regulations did not always include the regulation of "non-electronic" data: Paper incidents are explicitly regulated under HIPAA for health care entities and the GLBA for the financial industry, but only 10 U.S. states currently regulate both unauthorized paper and electronic disclosures. It’s important to note that the EU General Data Protection Regulation will include the regulation of non-electronic data, as well as an expanded scope of what is considered personal data. And while only 10 states currently specify the regulation of paper incidents, state data breach regulations are changing rapidly, and a number of proposed regulations include amendments that would regulate paper incidents.
Best practices in managing all types of incidents
When it comes to ensuring customer trust and privacy, passing audits and preserving documentation, looking good on paper means doing right by paper incidents, and that means identifying paper incidents when they occur, consistently performing a multifactor risk assessment on every incident, no matter how small, and documenting every step of your investigation, risk mitigation and corrective actions related to the incident in support of your decision whether to notify or not.
One of the most valuable outcomes of a multifactor risk assessment is that it can enforce best practices in incident risk mitigation, which can prevent over notification. When evaluating your privacy program, establishing benchmarking metrics on incidents and notifiable incidents by category can help you identify trends, as well as identify and manage risk within your organization. A few more considerations when looking at how your organization manages paper incidents:
- Make sure your security policies safeguard all data, regardless of the type.
- Establish procedures to quickly identify and escalate paper incidents to the proper internal teams. A previous benchmarking article revealed that, on average, electronic incidents are discovered more quickly than paper, as many organizations have security alerts when unauthorized electronic access occurs, whereas paper incidents may take a while to notice you’re missing a file or misdirected mailings. Educate your employees to identify all types of incidents, simplify and streamline incident escalation with easily accessible and secure web submission forms and a centralized method to report and document incidents internally.
- Use tools to stay informed of changes in regulations, including states’ breach notification changes that add specific notification timelines and expand the definition of regulated data to include paper records. (IAPP members have access to the IAPP-RADAR Incident Response Center.)
Above all, it’s important to assess and risk mitigate every incident, every time in order to protect your customers’ privacy and maintain trust while demonstrating consistency and a strong culture of compliance should regulators and auditors come knocking.
About the data used in this series: Information extracted from RADAR for purposes of statistical analysis is aggregated metadata that is not identifiable to any customer or data subject. RADAR ensures that the incident metadata we analyze is in compliance with the RADAR privacy statement, terms of use, and customer agreements.