In the wake of numerous high-profile electronic data breaches, companies are justifiably concerned about beefing up their cybersecurity programs and ensuring that they have adequate insurance coverage in the event of an electronic data breach. While the unauthorized disclosure of sensitive electronic data, whether through cyberattacks, insider malfeasance, inadvertence, or otherwise, is, of course, a substantial risk that must be addressed in any cyber insurance program, businesses should also understand and insure against their potential exposure in the event of an old-fashioned breach of sensitive information by way of paper or other non-computerized records.
These types of ink-and-paper data breaches happen more often than one might expect, given the media attention paid to electronic data heists. The healthcare industry, for example, is especially plagued by non-electronic data breaches, despite wide-spread adoption of electronic health records. According to a recent study by the American Journal of Managed Care, paper and films were the most frequent storage media at issue in data breaches that occurred in hospitals during the study period, whereas network servers were the least common. Statistics from the Office of Civil Rights Annual Report to Congress on Breaches of Unsecured Protected Health Information, published by HHS in 2012, revealed that paper records were involved in 23 percent of major breaches of protected health information (those affecting 500 or more individuals) and 61 percent of smaller breaches. See also Prevent Breaches: Don’t Forget Paper. This problem has not gone away in the intervening years: 11 major breaches of protected health information reported to date in 2019 involve paper or film records.