December 11, 2009

Stu Ingis comments on paper-based data breaches in Washington Post’s “Security Fix” Blog

2 min

Venable partner Stu Ingis was quoted in a December 10 Blog post about the rising number of paper-based breaches of sensitive information and companies’ obligations to notify individuals when a paper-based breach occurs. The piece was posted to the Washington Post’s “Security Fix” Blog.

According to the Identity Theft Resource Center, a San Diego based nonprofit, at least 27 percent of the data breaches disclosed publicly in 2009 stemmed from collections of sensitive consumer information printed on paper that were lost, stolen or improperly disposed of.

Experts say those incidents came to light in large part due to a proliferation of state data breach notification laws. Some 45 states and the District of Columbia have enacted laws requiring companies that lose control over sensitive consumer data to alert affected consumers, and in some cases state authorities. However, Congress is considering several federal data breach notification measures that would preempt existing state regulations. The three leading federal proposals, including a bill passed this week by the House of Representatives -- and a pair of measures passed by the Senate Judiciary Committee last month, would require notification only when data stored electronically is lost or stolen.

Ingis said many of his clients do not, in the strictest sense, have a legal obligation to report paper-based breaches, but that most of his clients err on the side of caution.

"Most companies really are looking to whether there is likely to be harm to the consumer," Ingis said. "We really don't have too many scenarios where legitimate companies are trying to hide the fact that they've had a breach."