A home invasion leads to a breach for a local lawyer

|

I apologize to The Breach Blog readers for falling behind in posting new breaches.  We have been very busy lately at FRSecure, helping our clients prevent breaches!  There are around a dozen breaches that I need to write about, including six from the New Hampshire Attorney General.  Thank you for your patience, and stay tuned!

-Evan

Date Reported:
Letter dated 7/26/10, posted online 9/17-9/18

Organization:
George R. LaRocque, Jr. - Attorney at Law

Contractor/Consultant/Branch:
None

Location:
Hudson, New Hampshire

Victims:
Clients

Number Affected:
"approximately 25"

Types of Data:
Personal information "including such things as names, social security numbers, tax identification numbers, account numbers, etc."

Breach Description:
On the morning of July 26, 2010 Mr. LaRocque awoke to find that someone had entered his home and stole his laptop computer from his kitchen.  The laptop contained personal information belonging to some (or all) of his family law clients.

Reference URL:
New Hampshire Attorney General breach notification

Report Credit:
The New Hampshire Attorney General

Response:
From the online source cited above:

On the morning of July 26, 2010, I awoke to find that someone had entered my home during the night.
[Evan] This would be very disturbing!

My Lenovo ThinkPad T 43 Notebook computer was in the kitchen, but is missing.
[Evan] At least this laptop was in his home and not left in his unattended car.

It is an office computer that contains files and folders for some of the clients and families for whom I have provided legal services.

including such things as names, social security numbers, tax identification numbers, account numbers, etc.
[Evan] Ugh.  Not the kind of information that we would like to read about on a laptop.

The computer is password protected, meaning that a private password has to be entered before it could be used.
[Evan] Wrong!  A password is not required to access this information.  A T43 is an older laptop, so it's pretty likely that it was running Windows XP.  A Windows XP password can be bypassed with little effort in a matter of seconds.  Why are people still using unencrypted laptops and considering them "secure"?

I immediately reported the incident to the Hudson Police Department, which is conducting an investigation.

I conferred with professionals who provide computer-related services for my office

I have also been diligent in taking steps to contact and notify any person of office that should be made aware of the situation.

I initially contacted your office on July 26, 2010.

Since then, I have spoken with Sandra Petell and James Boffetti.

I believe that it was Ms. Petell who brought the above-referenced statutory provisions to my attention.

Commentary:
Some people might argue that we should cut this poor guy some slack.  He doesn't have the seemingly infinite information security resources and wisdom found in large companies.  How would he know how to protect sensitive information?

OK, fine.  What excuse is there for someone who collects and stores sensitive information, but does not understand his/her responsibilities for the protection of sensitive information?  Is there any valid excuse for storing sensitive information on a poorly protected laptop?  Is ignorance a valid excuse?  The fact of the matter is that there are real people who are affected by the loss or theft of personally identifiable information, and there are no valid excuses for not handling their information responsibly.  Can other small businesses learn from this incident/breach?  I hope so.

Past Breaches:
Unknown

 
Trackbacks
  • No trackbacks exist for this post.
Comments
Page: 1 of 1
  • 9/22/2010 4:42 AM Scott Wright wrote:
    Your posts are appreciated, Evan, whenever you can get to them! I have also been very busy, and haven't had much time to comment on them, but I do read them.

    In this case, small businesses are in a tough position. But I think most lawyers would tell you that just because you aren't aware of a law, doesn't mean you can expect to get a break from a judge. For some reason the phrase, "Ignorance is no defence" rings in my ears.

    It was a small number of clients, but some lawyers have thousands, and hopefully most do use encrypted file systems if they carry their files around on them.

    - Scott
    Reply to this
    1. 9/22/2010 4:09 PM Evan Francen wrote:
      Scott,

      I'm glad to hear that you are busy too.  Hopefully, a good busy.

      I agree with you.  Small businesses are in a tough position, and I think it may only get tougher.

      Thank you for reading and commenting!
      -Evan
      Reply to this

Page: 1 of 1
    Leave a comment