A survey released on Jan. 28, 2013 by the Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA) found that nearly two-thirds of data breaches are due to lost paper files and portable memory devices. The survey entitled “Data Breach Incidents & Responses” also found that the compliance and ethics department usually led the remediation effort following the last data breach.
“Once again we find that an overwhelming number of data breaches are caused by employees’ poor handling of paper and devices. If we put as much effort into our internal compliance program as we do in technical security we would be more effective at preventing data breaches,” said SCCE and HCCA Chief Executive Officer Roy Snell.
The survey confirmed other studies that report that more than half of respondents have suffered a data breach during the previous year. What was found as more surprising was that 37 percent of the survey respondents had experienced multiple breach incidents with 20 percent having four or more breaches.
Despite the move to change to a paperless office environment, 38 percent reported that lost files were probably the cause of the last breach while just 11 percent indicated that breaches were the result of hacktivists. The next highest problem is the loss of a mobile device including memory sticks. The numbers confirm the expectations of security and compliance professionals.
The good news is that employees appear to be willing to inform employers of potential problems (47 percent). However the ones that should know of any breaches immediately are the people in the IT department which should know where all sensitive information is at any time.
As an identity theft expert and someone who has monitored breaches since 2000, one problem that advocates constantly point out is that most federal breach bills and most states laws do not include paper documents in breach bills. Therefore, many companies do not have policies to dictate which items to control carefully and adequately destroy prior to tossing.
Paper documents that may have sensitive information include job applications, credit card applications, bank documents, and medical records. One industry with a high level of breaches is educational facilities, which allow many professors to store student Social Security numbers on mobile drives. The loss of personal information can lead to identity theft and other complications for both the business and individual whose information was lost.