In the wake of numerous high-profile electronic data breaches, companies are justifiably concerned about beefing up their cybersecurity programs and ensuring that they have adequate insurance coverage in the event of an electronic data breach. While the unauthorized disclosure of sensitive electronic data, whether through cyberattacks, insider malfeasance, inadvertence, or otherwise, is, of course, a substantial risk that must be addressed in any cyber insurance program, businesses should also understand and insure against their potential exposure in the event of an old-fashioned breach of sensitive information by way of paper or other non-computerized records.
These types of ink-and-paper data breaches happen more often than one might expect, given the media attention paid to electronic data heists. The healthcare industry, for example, is especially plagued by non-electronic data breaches, despite wide-spread adoption of electronic health records. According to a recent study by the American Journal of Managed Care, paper and films were the most frequent storage media at issue in data breaches that occurred in hospitals during the study period, whereas network servers were the least common. Statistics from the Office of Civil Rights Annual Report to Congress on Breaches of Unsecured Protected Health Information, published by HHS in 2012, revealed that paper records were involved in 23 percent of major breaches of protected health information (those affecting 500 or more individuals) and 61 percent of smaller breaches. See also Prevent Breaches: Don’t Forget Paper. This problem has not gone away in the intervening years: 11 major breaches of protected health information reported to date in 2019 involve paper or film records.
Moreover, non-electronic data breaches afflict both large and small organizations. For instance, in 2017, the Memorial Hermann Health System in Southeast Texas, which is comprised of 16 hospitals and specialty services in the Greater Houston area, agreed to pay $2.4 million to HHS for disclosing a patient’s personal health information in a press release. On the other end of the spectrum, Cornell Prescription Pharmacy, a single-location compounding pharmacy in Denver, Colorado, agreed to pay a $125,000 fine to HHS for disposing of documents containing patients’ protected health information in a dumpster on its premises.
Insurance-industry statistics confirm that the risk of a non-electronic data breach is not confined to the healthcare industry. According to Gen Re, the overall number of data breaches involving paper records nearly tripled in 2017. The 2017 NetDiligence Cyber Claims Study reported that 9% of insurance claims for data breaches arose from paper records. The 2018 study noted that “the mishandling of paper records continues to be an annoying and expensive event,” with crisis-services costs ranging from $14 – $197,000 (averaging $30,000) and total breach costs ranging from $600 – $926,000 (averaging $69,000).
Despite the wide-spread aspiration of many businesses to adopt a “paperless office,” in reality, most organizations today still utilize at least some paper records in addition to digitally stored data. Moreover, even in the absence of paper-based record keeping, non-electronic data breaches can flow from such things as loose documents left on a desk or printer or printed materials accidentally routed to a dumpster instead of a shredder. In one notable example, an employee left notebooks containing handwritten personal customer information in a backpack in a deli. In short, no business is immune from the risk of a non-electronic data breach.
These types of data breaches may also give rise to regulatory risk. For instance, at the federal level, the Health Insurance Portability and Accountability Act (HIPAA) applies to covered entities’ use of protected health information regardless of whether the information is in electronic, paper, or other form. Likewise, financial institutions subject to the Gramm-Leach-Bliley Act must comply with the Act’s requirements to safeguard all customer information, regardless of whether that information is housed in electronic or paper form. At the state level, the sweeping California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020 and applies to certain companies that collect and control personal information of California residents, protects both paper records and electronically stored information. (For more discussion of insurance coverage for alleged violations of the CCPA see Beyond GDPR: Insurance Coverage for Emerging Cybersecurity and Privacy Regulatory Exposure). Although many state breach notification statutes apply only to electronically-stored information, many apply more broadly: For example, statutes in Alaska, Hawaii, Indiana, Iowa, Massachusetts, North Carolina, and Wisconsin require notice of non-electronic data breaches as well.
As a result, any business seeking to manage potential exposure arising out of data breaches should make sure its insurance program provides coverage for non-electronic data breaches as well. Although many cyber insurance policies cover both electronic and paper breaches, some policies contain exclusions for losses arising from the theft or disclosure of paper records. If your company’s policy contains such an exclusion, you should consider addressing that issue with your broker and carefully evaluate your other insurance policies such as CGL, E&O, D&O, and Crime policies to make sure that the particular risks faced by your business with respect to a non-electronic data breach are adequately covered.