It’s More Than Just “Cyber”: Stealing Data the Old-Fashioned Way

By Shawn Dougherty January 13, 2014

Shawn DoughertyThe rapid growth of technology has created new threats for businesses around the world, and made it easier than ever to lose money and damage a firm's brand or reputation. Each week, our new Cyber Monday series will analyze these risks and discuss solutions designed to keep companies safe. Today, we take a look at cybercriminals who don’t need high-tech skills to obtain sensitive data.

When you mention cyber risk, most people immediately think of computer hackers stealing someone’s confidential information — such as their personally identifiable information (PII), including name, address, credit card number, or Social Security number, or their protected health information (PHI), such as healthcare policy number and medical records.

The truth is that criminals don’t need high-tech skills to obtain this sensitive data. They can steal it the old-fashioned way: with a bag and a plan.

Thieves can gain access to PII and PHI without ever running into a firewall. Take a look at the following examples, each of which might be considered a data breach under a cyber-liability policy:

  • Storing patient records: Over the past several years, thieves have stolen thousands of medical films from hospitals, imaging facilities, and warehouses with the intent to sell them for their silver content. Those films, however, often contain personal information printed on them, including a patient’s name and birth date.
  • Forgetting to shred: Businesses discard papers all the time that contain customers’ and employees’ personal information. If they don’t shred or ensure destruction of the sensitive documents, businesses could easily become victims of a data breach.
  • Recycled photocopiers and printers: When you use a photocopier or all-in-one printer/copier/scanner, the image of the original document is often stored on the machine’s hard drive. If you return a leased copier or recycle an old printer/copier/scanner without first clearing the equipment’s hard drive or memory, someone may gain unauthorized access to huge amounts of PII or PHI.

The bottom line: Companies looking to increase their cybersecurity need to remember that sensitive data isn’t always online. Sometimes it’s in the places you’d least expect.

Stay tuned for the next blog post in our Cyber Monday Series.


Shawn Dougherty

Shawn Dougherty is the assistant vice president of ISO's Specialty Commercial Lines Division. He is responsible for providing the overall direction, leadership, and client service for ISO's cyber liability (e-commerce), D&O (management protection), businessowners, crime and fidelity, financial institutions, employment-related practices liability, and professional liability (other than medical) insurance programs. He is also the ISO product manager for the Lloyd's Wordings Repository, an electronic database of policy wordings and clauses regularly used within the London market. Mr. Dougherty has worked at ISO since 1988.