As a child growing up in New York City I always wanted to go to the Macy’s Thanksgiving Day Parade. The floats, the balloons, the clowns, the celebrities, the marching bands, the scraps of personal information….wait…personal information?
Every year confetti is thrown from the windows of the offices and apartments lining the parade route. This year someone took shredded arrest reports and other documents from the Nassau County Police Department’s headquarters that were due to be burned and threw the shredded paper out the window during the parade. Personal information such as social security number, license plate numbers, and phone numbers were all found on this confetti.
In addition to the personal information on these scraps there was other confidential information found: details about Republican presidential candidate Mitt Romney’s motorcade to Hofstra University in Hempstead, LI. I suggest that this loss of information would be equivalent to the loss of a business’s intellectual property.
So was this a data breach?
The revealing of these items alone may not lead to identity theft, however this is a loss of personal information. Under the New York Information Security Breach and Notification Act, Personal information is defined as “…any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.” It is not, however, a data breach under the same act as the act focuses on computerized information (there are other disqualifying criteria as well).
Personal information has been used for confetti before
Thinking back to earlier this year when New Yorkers were celebrating the Giants’ Super Bowl victory, full pages of personal information and health information were used as confetti (including a woman’s mammogram). Also, back in 2009 the Yankees’ victory parade included confetti using financial documents such as pay stubs and account statements.
All of these incidents occurred in New York, but it would be foolish to assume that the same thing does not happen anywhere else in the world especially on a smaller scale. After all, shredded documents make great confetti for parades, parties, birthdays, weddings, or any other event.
So, how is your staff celebrating? Who is getting to see those bits of (hopefully) shredded personal or confidential information?
What is a business’s obligations?
When businesses collect and maintain personal and other related information, the business has an obligation to protect the information. Ensuring that staff is trained and executing properly is part of obligation.
In fact, regulatory and legal statutes require that training practices be put in place. To verify that practices are being properly followed and to improve a business’s privacy / security operations, an annual privacy assessment may also be required.