Think about breach notification laws for a second. Which of the following is a breach:
- A criminal breaks into your network and steals your customer database
- A disgruntled employee copies all of your data onto a thumb drive and walks out
- A laptop or tablet, with unencrypted data is stolen from an employees car
- A backup tape falls out of the truck on its way to off-site storage
- A stack of print-outs of customer data is set out next to the trash
All of them look like a breach, right?
Under the bulk of state data breach notification laws, paper documents may not be considered “data.” As an example, Indiana, Louisiana, and Texas all use the term “computerized data”, Michigan defines ‘data’ as electronic information, and Mississippi references “electronic files, media, databases or computerized data containing personal information.”
So, if I leave a laptop with data laying on the road next to the same data in a stack of papers, is only one considered a ‘data breach’ that requires notification?
I’m not sure I would be willing to risk the loss of customer trust or the PR fallout of relying on such a legal argument. Imagine your customers coming back saying their identities had been stolen and your response is “we didn’t really, legally have to tell you we set your PII in the recycling bin.” Probably not the best way to win over customers.