Central California Appellate Program alerts attorneys of stolen disk
Technorati Tag: Security Breach
Date Reported:
12/3/08
Organization:
Central California Appellate Program ("CCAP")
Contractor/Consultant/Branch:
None
Location:
Sacramento, California
Victims:
Current and former CCAP members
Number Affected:
Unknown
Types of Data:
Social Security numbers, tax identification numbers, addresses, telephone numbers and e-mail addresses
Breach Description:
"Lawyers who work on indigent appeals for the Central California Appellate Program have been warned that their Social Security numbers and personal information have been stolen."
Reference URL:
American Bar Association
The Recorder
Report Credit:
Mike McKee, The Recorder
Response:
From the online sources cited above:
Identity theft was on the mind of many of California's appellate lawyers Monday as word spread about the mid-November theft of a disk containing attorneys' names, Social Security numbers and other personal information from a Sacramento-based nonprofit law firm.
In a letter that arrived in most law offices just before the Thanksgiving holiday, the Central California Appellate Program -- which supplies lawyers for indigent appeals in Sacramento's 3rd District Court of Appeal and Fresno's 5th -- advised current and former panel members that the disk was in a safe stolen from an off-site storage facility on Nov. 15 or 16.
The backup data disk, which was password protected, contained not only the names and Social Security numbers of attorneys who receive appellate work through CCAP, but also federal tax identification numbers, addresses, telephone numbers and e-mail addresses.
[Evan] I guess I don't know much about CCAP. Why do they collect and store Social Security numbers? I suppose for tax purposes.
"A report has been filed with the police and CCAP is fully cooperating in their investigation," CCAP Assistant Director Gary McCurdy
"To date, we have not received any reports of identity theft relating to this incident."
[Evan] If identity theft were to happen, I think it's a little early to start receiving reports.
It wasn't clear on Monday how many attorneys could be affected, and the CCAP Web site gives no indication of the number of lawyers who work with the program.
Attorneys contacted Monday said that while the news upset some CCAP panelists, most took it in stride and didn't blame the agency.
"I subscribe personally to a service provided by American Express that keeps me apprised of any change in my credit," said San Francisco solo Grace Suarez. "[CCAP officials] were doing the best they could."
[Evan] Great. Ms. Suarez will be notified if she becomes a victim of fraud AFTER she has become a victim of fraud. How about the forms of identity theft that may not change a credit report (job applications, rental property, etc.)?
Berkeley solo Wesley Van Winkle, who said he hasn't worked with CCAP for at least eight years, wasn't overly concerned either, even though his personal information conceivably was on the missing disk, too.
"There's probably a million and one ways someone can get your Social Security number," he said, adding that virtually every credit card or bank card these days is protected by passwords or other security methods.
[Evan] Really? I use a credit card every day and I don't ever get asked for a password or "other security methods". Heck, usually if I spend less than 50 bucks I don't even have to sign anything. The last time I took out a loan I wasn't asked for a password or "other security methods". About the million and one ways to get my Social Security number comment; this is exaggerating and defeatist. I think Mr. Van Winkle may be missing the point.
"Anybody who gave out information or set up a new credit card account in my name," Van Winkle said, "would need more than my name and Social Security number to do it."
[Evan] Like what? An address? A place of employment? The fact of the matter is that out of all the information required to apply a loan or credit card, a Social Security number is typically the most sensitive and confidential. The other information can be easy to get from phone books, online searches, etc. More Mr. Van Winkle logic.
"It's not like somebody kind of wandered onto their site on the Internet and downloaded this stuff," he said. "It was on a disk in a safe off site."
[Evan] Does it really matter how sensitive information is exposed?
In his letter, McCurdy said the disk's theft seemed incidental, saying the robbers took several resalable items, including computer equipment and the safe in which the disk was kept.
"Backups for data storage and disaster recovery," he wrote, "will now be maintained at a secure, vaulted and encrypted off-site data center, through a fully automated and encrypted process."
[Evan] Now this seems logical. I commend CCAP for responding with some detail about what they plan on doing to prevent similar breaches.
St. Helena solo Gordon Brownell, who handles criminal appeals, said he and some others were surprised that the stolen disk wasn't encrypted in the first place.
The theft "has upset a number of panel attorneys," he said. "But I'm not aware of any specific action that people have been taking other than that a number of attorneys are following the suggestion in the letter to sign up for some kind of identity protection program."
Commentary:
CCAP likely believed that the controls surrounding their backup disks were sufficient given the risk of potential compromise. Sensitive information should be encrypted at rest whenever feasible (commensurate w/risk), no matter where it resides.
Past Breaches:
Unknown
Date Reported:12/3/08
Organization:
Central California Appellate Program ("CCAP")
Contractor/Consultant/Branch:
None
Location:
Sacramento, California
Victims:
Current and former CCAP members
Number Affected:
Unknown
Types of Data:
Social Security numbers, tax identification numbers, addresses, telephone numbers and e-mail addresses
Breach Description:
"Lawyers who work on indigent appeals for the Central California Appellate Program have been warned that their Social Security numbers and personal information have been stolen."
Reference URL:
American Bar Association
The Recorder
Report Credit:
Mike McKee, The Recorder
Response:
From the online sources cited above:
Identity theft was on the mind of many of California's appellate lawyers Monday as word spread about the mid-November theft of a disk containing attorneys' names, Social Security numbers and other personal information from a Sacramento-based nonprofit law firm.
In a letter that arrived in most law offices just before the Thanksgiving holiday, the Central California Appellate Program -- which supplies lawyers for indigent appeals in Sacramento's 3rd District Court of Appeal and Fresno's 5th -- advised current and former panel members that the disk was in a safe stolen from an off-site storage facility on Nov. 15 or 16.
The backup data disk, which was password protected, contained not only the names and Social Security numbers of attorneys who receive appellate work through CCAP, but also federal tax identification numbers, addresses, telephone numbers and e-mail addresses.
[Evan] I guess I don't know much about CCAP. Why do they collect and store Social Security numbers? I suppose for tax purposes.
"A report has been filed with the police and CCAP is fully cooperating in their investigation," CCAP Assistant Director Gary McCurdy
"To date, we have not received any reports of identity theft relating to this incident."
[Evan] If identity theft were to happen, I think it's a little early to start receiving reports.
It wasn't clear on Monday how many attorneys could be affected, and the CCAP Web site gives no indication of the number of lawyers who work with the program.
Attorneys contacted Monday said that while the news upset some CCAP panelists, most took it in stride and didn't blame the agency.
"I subscribe personally to a service provided by American Express that keeps me apprised of any change in my credit," said San Francisco solo Grace Suarez. "[CCAP officials] were doing the best they could."
[Evan] Great. Ms. Suarez will be notified if she becomes a victim of fraud AFTER she has become a victim of fraud. How about the forms of identity theft that may not change a credit report (job applications, rental property, etc.)?
Berkeley solo Wesley Van Winkle, who said he hasn't worked with CCAP for at least eight years, wasn't overly concerned either, even though his personal information conceivably was on the missing disk, too.
"There's probably a million and one ways someone can get your Social Security number," he said, adding that virtually every credit card or bank card these days is protected by passwords or other security methods.
[Evan] Really? I use a credit card every day and I don't ever get asked for a password or "other security methods". Heck, usually if I spend less than 50 bucks I don't even have to sign anything. The last time I took out a loan I wasn't asked for a password or "other security methods". About the million and one ways to get my Social Security number comment; this is exaggerating and defeatist. I think Mr. Van Winkle may be missing the point.
"Anybody who gave out information or set up a new credit card account in my name," Van Winkle said, "would need more than my name and Social Security number to do it."
[Evan] Like what? An address? A place of employment? The fact of the matter is that out of all the information required to apply a loan or credit card, a Social Security number is typically the most sensitive and confidential. The other information can be easy to get from phone books, online searches, etc. More Mr. Van Winkle logic.
"It's not like somebody kind of wandered onto their site on the Internet and downloaded this stuff," he said. "It was on a disk in a safe off site."
[Evan] Does it really matter how sensitive information is exposed?
In his letter, McCurdy said the disk's theft seemed incidental, saying the robbers took several resalable items, including computer equipment and the safe in which the disk was kept.
"Backups for data storage and disaster recovery," he wrote, "will now be maintained at a secure, vaulted and encrypted off-site data center, through a fully automated and encrypted process."
[Evan] Now this seems logical. I commend CCAP for responding with some detail about what they plan on doing to prevent similar breaches.
St. Helena solo Gordon Brownell, who handles criminal appeals, said he and some others were surprised that the stolen disk wasn't encrypted in the first place.
The theft "has upset a number of panel attorneys," he said. "But I'm not aware of any specific action that people have been taking other than that a number of attorneys are following the suggestion in the letter to sign up for some kind of identity protection program."
Commentary:
CCAP likely believed that the controls surrounding their backup disks were sufficient given the risk of potential compromise. Sensitive information should be encrypted at rest whenever feasible (commensurate w/risk), no matter where it resides.
Past Breaches:
Unknown
Posted by Evan Francen at 12/6/2008 4:34 PM 
Categories: Central California Appellate Program, Stolen Media
Categories: Central California Appellate Program, Stolen Media
Posts Atom 1.0
"Rip Van Winkle logic". I like that; is that a phrase you originally coined, Evan? Cause it sure ain't no common phrase used down here in the Home of the Blues and the Birthplace of Rock and Roll where we still eat hog's head and turnip greens on New Year's day? I believe I mentioned to you before that I do not know any lawyer that is compliant with HIPAA in all of Memphis. The realization that I came to after reading your blog for a few months was that once you get somebody's social security number in you hand, if you combine that with a little larceny in the heart, you are micrometers away from critical mass. It scares me to think what I would be able to do if I only knew a little bit about source codes, etc. A smart criminal in this field would live large indeed. Sort of reminds me of an interview I heard on Art Bell one time about "Captain Crunch's" early days with the phone company. Lord have mercy what those Russian mafia people could do to this country with a couple of laptops. People not only cannot cook here anymore, they cannot even rise above ordering a specific numbered meal at McDonald's with a picture that goes with the number. Half of Memphis would starve if they took the pictures down at McDonald's and the customers had to read a menu. Perhaps this is where such people as the Bilderbergers use the phrase "useless eaters". I will have to ponder this situation. HIPAA, I thought is was the pelvis that Elvis shook.
Reply to this
I read your blog entry this time (well at least 4 or 5 sentences of it), instead of just glancing at it searching for something that I need to know, as unfortunately there exists insufficient time to know what I want to know. Anyway, when I actually read a couple of sentences from your blog rather than just glanced at the page,I saw your comment about the damages resulting from identification theft (while looking for that one piece of knowledge that was going to change my life) could not be prevented by "credit monitoring." One year is the de facto industry standard isn't it? Anyway, you comment encapsulated the whole idea behind my class action lawsuit argument that these type of damages are not too speculative and that anxiety over being the victim of all sorts of unknown types of damages is much worse than having anxiety regarding having your credit screwed up and identification loss anxiety would cover everything from "A to Z". I could be carjacked if they figured out I lived in an isolated place and was a weak elderly lady who drove home to a rural area like clockwork and who wore lots of expensive jewelry. Home invasion anxiety is my favorite. I have one lady from rural Mississippi who calls me every week worrying about being a victim of home invasions from the gangs from Memphis. all because her social security number was on a compromised laptop. Who knows, maybe she has a point? A district Judge in San Francisco (The 9th Circuit) said so in Ruiz v. The Gap, Inc. I think when I was interviewed for television, I was asked is not $600,000.00 a lot to ask for having your identity stolen? I think I responded to the reporter with a remark about how that the families of the people killed by terrorists using fake id's obtained with stolen social security numbers might not think so. Are you aware of any studies regarding issues concerning likelihood that a stolen identity might be improperly utilized? It seems too amorphous to me to be something to study, but still the idea intrigues me. The loss of a nail resulted in the loss of a horse, etc... I've hear that line somewhere before. Usually there is at least a grain of truth somewhere in those old sayings, or they would not be "old sayings".
Reply to this