The incident reporting criteria used to only require the reporting of information technology related security incidents, but now state agencies are expected to report those involving paper and other formats. What authority requires agencies to report security incidents involving paper and other formats and why is this necessary?

In September 2006, the California Information Security Office (then located within the Department of Finance) issued Management Memo 06-12, adding paper and other formats to the state incident reporting criteria.The majority of state agencies are still very much dependent upon paper and other formats, such as microfiche. When an incident involves the theft, loss, or misuse of personal, confidential, or sensitive information, whether it is electronic or other format, it is important that adequate steps are taken to notify individuals that may be in jeopardy as a result of the incident. Safeguarding all personal, confidential, or sensitive information, no matter the format, is essential to maintaining the public’s trust in government.