Disk Encryption: Criminal Defense Firm Has Backup Drives Stolen From Car.

The use of crypotgrapic solutions like AlertBoot’s managed laptop encryption is not a requirement under the legal profession, as far as I know.  Of course, the use of encryption rarely is a requirement in the US, although many states’ laws and certain federal regulations make it clear that the use of encryption is required – or strongly, very strongly, recommended under certain circumstances.

But, even if this requirement were to applied to all in the legal profession, would it have prevented the following data breach?

Imhoff and Associates Data Breach

Imhoff and Associates, P.C. has filed data breach notices with the New Hampshire Attorney Generals’ office and California Attorney Generals’ office.  According to these, the firm experienced a data breach on June 27.  One of the firm’s employees had left a backup hard disk drive inside the trunk of his car which was stolen by unknown thieves.

The drive contained names, dates of birth, SSNs, driver’s license numbers, and contact information such as home or email addresses as well as phone numbers.  The firm explains that they don’t believe that the disk was stolen for the information stored in it, but who’s to say why it was stolen?  Indeed, why did the thief or thieves target the trunk of this particular car?

Boosting a car’s trunk is, I dare say, unusual… unless a guy knows what he’s looking for.  For example, I’ve covered over the years how certain thieves will park themselves in a garage and watch people as they drive in.  The thieves will observe whether a potential victim opens the trunk after parking, and whether he places something inside before walking away.  If he does, the thieves know there’s something potentially valuable in the trunk and break into it.  Otherwise, they just sit in the trunk and wait.  After all, what’s the use of breaking into a car’s trunk without knowing what’s in it?  There could be something of value, there could be nothing of value, there could be a dead body…nobody likes the unknown.

Not Encrypted

In the letter filed with the NH AG, the firm admits that it hadn’t used encryption software to protect the backup disk but promises to look over its current encryption use and other data security measures.  Not exactly what one would call stellar corporate behavior, especially for a criminal defense firm.

It certainly pales in comparison with some of our legal clients who’ve been much more enthusiastic when it comes to the use of laptop encryption.  However, there’s a reason to this: most of our clients in the legal profession are also business associates to medical companies.  As such, they are beheld to HIPAA regulations, which are overseen and enforced by the HHS.  The HHS has been very enthusiastic in (essentially) forcing companies to use encryption anywhere sensitive patient data is stored, backing this enthusiasm with fines of up to $1.5 million per violation.  The ABA and other legal circles haven’t exactly been pushing for encryption.

In light of this, while it’s tempting to blame Imhoff for the data breach, one’s tongue should be tempered by their circumstances.  Data security is one of those areas where the “trickledown theory” plainly works, and as long as data security is a recommendation in legal professional circles, as opposed to a requirement, you can expect to see more cases like this in the future.

Related Articles and Sites:


Comments (0)

Let us know what you think