Lawyer Laptop Encryption: San Francisco Attorney Notifies Clients of Laptop Theft, Potential Data Breach.
A data breach can be a devastating experience. Even more so if the breach involves a particular profession where privacy, anonymity, and secrecy happen to be paramount. That’s why a medical data breach hits people more closely than a retailer’s data breach. And why a data breach involving the legal profession seems even more alarming. And yet, the use of disk encryption on lawyers’ laptops is not a requirement. Which means news like the following can be expected for the foreseeable future.
January 6, 2015
According to databreaches.net, the law offices of David A. Krausz in San Francisco, CA experienced the theft of a laptop computer that contained sensitive data, including personal information. California, being the bellwether when it comes to data breach notifications and other personal data security issues, requires breached entities to get in touch with affected people, as well as the California State Attorney General.
That is, only if the data was not protected with encryption software. If the data had been protected by the likes of AlertBoot’s managed disk encryption solutions, a notification letter (to the potential victims or the AG) is not necessary as the law provides safe harbor.
The theft took place on January 6, 2015 – possibly making it the very first reported data breach in California for the new year – and notification letters appear to have been sent on the 12th. That’s actually a very fast response and Krausz should be complimented on their alacrity.
On the other hand, there’s much to be desired about the circumstances relating to the breach itself. As databreaches.net points out, where did it occur? Was the laptop stolen from someone’s car? (If so, Krausz is in good company. Laptops left in vehicles are probably one of the leading causes of laptop thefts).
Was it stolen from their offices? If so, perhaps we can give Krausz a little leeway (but not too much).
“The Highest Level Possible”
Why not too much? Because it is claimed that they “take [their] obligation to serve [their] current and former clients very seriously and [they] are committed to protecting your privacy at the highest level possible.”
The highest level possible, it seems to me, would involve using encryption software or other technological precautions. Of course, lacking particular details, it could very well be that they do, but this particular laptop was missed in the effort. And, we cannot proscribe the possibility that Krausz is sending notifications despite having used encryption to protect its clients’ data.
But this seems a tad improbable. What lawyer would invite the potential for lawsuits? Because that’s what generally happens when you notify someone that you have lost their sensitive data: lawsuits are filed.
At the end of the day, though, it feels like either their regulatory body or the laws are to blame. It’s not a secret that, when given a choice, people tend to lean towards not securing sensitive data. Perhaps people feel secure. Or perhaps they don’t think it will happen to them. Or perhaps they think that the investment won’t be worth it – better to deal with the breach if it comes. But make it a requirement, like New Jersey recently did for health insurance providers, or like HHS/OCR does for any entities that are covered by HIPAA/HITEHC, and the story changes.
Perhaps President Obama’s recent proposal for a national data breach notification law will prompt some changes.