• Like
  • Save
Resources for Lawyers Who Have Experienced Theft of Client Information
Upcoming SlideShare
Loading in...5
×
 

Resources for Lawyers Who Have Experienced Theft of Client Information

on

  • 1,001 views

 

Statistics

Views

Total Views
1,001
Views on SlideShare
1,000
Embed Views
1

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 1

http://www.lmodules.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Resources for Lawyers Who Have Experienced Theft of Client Information Resources for Lawyers Who Have Experienced Theft of Client Information Document Transcript

    • Beverly A. Michaelis, J.D. Direct Dial 503.924.4178 Professional Liability Fund Practice Management Advisor beverlym@osbplf.org http://twitter.com/OreLawPracMgmt Main 503.639.6911 – Oregon Toll Free 800.452.1639 http://www.linkedin.com/in/beverlymichaelis www.osbplf.org Resources for Lawyers Who Have Experienced Theft of Client Information This PDF includes articles and a sample client letter which can be modified as needed. Please call or e-mail me if you have any questions. Beverly Michaelis
    • Professional liability fund www.osbplf.org Malprac t i ce Pre ve n t i o n Ed u ca t i o n f o r O re g o n La w ye r s Easy to Use or Easy to Lose? How to Protect Mobile Devices Mobile devices like the BlackBerry and Palm 6. Explore Data Wiping. Research in Treo have become indispensable tools for many Motion’s BlackBerry Enterprise Server, as an lawyers. Compact and easy to use, these devices example, comes with a feature that wipes all data offer quick access to calendars, contacts, e-mail, from the device’s memory once a certain num- documents, and other sensitive personal and cli- ber of failed log-in attempts are exceeded. The ent information. Unfortunately, the portability current version of Microsoft Exchange provides of such devices also makes them highly prone to for a remote wipe of a lost or stolen Windows loss or theft. If you or members of your firm use PDA. Remember that if you have regularly syn- a PDA, smartphone, or similar device, take ap- chronized your device, the destroyed data can be propriate steps to protect client confidentiality: easily restored to a replacement device. 1. Limit Use. Restrict the type of informa- 7. Starve the Virus. Virus attacks on tion stored on a handheld device to reduce your handheld devices are rare but potentially dev- exposure. astating if a compromised mobile device is synched to a desktop or network. All the major 2. Standardize. If more than one handheld antivirus vendors, including Symantec (Norton device is used, everyone in the firm should use Smartphone Security) and McAfee (McAfee the same type of device. Do not allow outside de- Mobile Security), offer security products de- vices. In the event of a problem, it will be easier signed for mobile platforms. Visit www. sy- to implement a firm-wide solution if everyone is mantec.com and www.mcafee.com for more using the same product. information. tHis issue 3. Password Protect. Use “power-on” 8. Learn More. To learn more about mobile august 2008 passwords. If the device is lost or stolen, data on devices, visit resources like the PDA Learning the device cannot be accessed without the pass- issue 105 Center at http://palmtops.about.com/od/pda- word. learningcenter/PDA_Learning_Center.htm or 4. Use the Lock-out Feature. Set devices www.pdatoday.com. to lock out users after a specified number of in- correct log-in attempts. Use “sleep” settings to Beverly A. MichAelis lock devices after 10 or 15 minutes of inactivity. PlF PrActice MAnAgeMent Advisor 5. Consider Encryption or Biometrics. Products like SafeGuard PDA from Utimaco go beyond password protection and lockouts to protect data by using encryption and biomet- rics. Biometrics protect data by requiring sig- nature, voice, or fingerprint authentication. If the device doesn’t recognize the user, it can’t be accessed. Visit http://americas.utimaco. com/safeguard_pda for more information. DISCLAIMER IN BRIEF includes claim prevention information that helps you to minimize the likelihood of being sued for legal malpractice. the material presented does not establish, report, or create the standard of care for attorneys. the articles do not represent a complete analysis of the topics presented, and readers should conduct their own appropriate research.
    • IN BRIEF PROFESSIONAL LIABILITY FUND www.osbplf.org M ALPRACTICE A VOIDANCE N EWSLETTER LAPTOP COMPUTERS: PROTECTING FOR O REGON L AWYERS Unauthorized use of data usually results from: (a) loss or theft of the laptop; (b) unauthorized access to CONFIDENTIAL CLIENT the laptop for long enough to view or INFORMATION copy data; (c) loss or theft of data copied to diskettes or other portable Laptop computers present special storage devices (e.g., memory sticks, data security risks because they are de- USB drives) for printing, backup, or signed for mobility and are frequently data transfer; or (d) interception or used outside the office. Some of the risks compromise of data transmitted over associated with laptop usage are: telephone lines or the Internet. • Loss and Theft. Laptops are These security risks cannot be elimi- vulnerable to both human error (loss) nated, but a combination of technology and to greed (theft). The portable tools and user awareness can reduce nature of laptops makes them easy to laptop data security risks to a reasonable leave in a hotel room, airport, or level. restaurant. They are also easily stolen and sold on the black market. National PHYSICAL SECURITY crime statistics report that roughly 150,000 laptops were stolen in 1994, The risks of theft, unauthorized ac- 200,000 in 1995, and 275,000 in 1996. cess, or unauthorized use of data can be Theft is growing faster than the significantly reduced by diligently ob- number of laptop computers in use. serving the following physical security THIS ISSUE practices: October 2004 Theft from an office is the most Issue No. 93 common, and airport theft the second • Use a sturdy bag that doesn’t look most common. like a laptop bag to carry your laptop; • Unauthorized Access. Laptop • Hang the bag from your shoulder or computers are frequently used in keep it on the floor between your insecure locations – conference rooms, feet; temporary offices, and airports, to name a few. In most cases, the laptop is used • Use locking cables or burglar alarms; in a conference room or other public area where the laptop user is not well • Never leave the laptop unattended or known to others in the area. This out of your sight in a public place; situation makes it easy for an • Don’t check the laptop as luggage or unauthorized user to view or use the in a coatroom; laptop without looking suspicious. Be especially careful if you are using a • Don’t store the laptop in airports, high-quality large screen, as this allows airplanes, trains, or subways; a much wider viewing angle. • Keep the laptop with you when in • Unauthorized Use of Data. taxis, cars, or other transportation; DISCLAIMER THIS NEWSLETTER INCLUDES CLAIM PREVENTION TECHNIQUES THAT ARE DESIGNED TO MINIMIZE THE LIKELIHOOD OF BEING SUED FOR LEGAL MALPRACTICE. THE MATERIAL PRESENTED DOES NOT ESTABLISH, REPORT, OR CREATE THE STANDARD OF CARE FOR ATTORNEYS. THE ARTICLES DO NOT REPRESENT A COMPLETE ANALYSIS OF THE TOPICS PRESENTED AND READERS SHOULD CONDUCT THEIR OWN AP- PROPRIATE LEGAL RESEARCH.
    • • Watch the laptop as it goes through airport 2003 issue of Law Office Computing) and MemoPass. metal detectors (“snatch and grab” thefts are These devices create and store personal profiles for common); and the authorized user through a USB port or by access card. • Use locking or even unlocked drawers or cabinets to store laptop computers when you Creating a mobile system can backfire if the leave an office, conference room, or hotel room. system is not secure. This is a very important con- sideration when using a wireless connection. Wire- ACCESS SECURITY less laptops and computers have wireless adapters and wireless access ports that enable them to con- The second line of defense against laptop theft nect to your computer network. Unfortunately, these or unauthorized use of data is access security. If a wireless access ports transmit radio signals continu- laptop computer is lost, stolen, or otherwise outside ously. Since only about one percent of wireless us- the control of its owner, data remains secure if an ers change the vendor’s default user name and con- unauthorized person is prevented from turning the figurations, 99 percent of these wireless access computer on and using it. points are highly insecure. So if you are using a The simplest way to reduce access to your com- wireless network, don’t rely on the default settings puter data is to log off of the computer when you are of your laptop to protect you. Check with your wire- not able to stay near it, and to take the computer less vendor or consult with an expert about how to with you. Since this option is not always practical, properly secure your wireless system. you can also protect the data by using the lock com- Last, but not least, laptop users can secure data puter function of the computer. Simply hit Ctrl-Alt- by being selective about what they store on the Delete while your computer is on, then select Lock laptop. If possible, avoid storing personal informa- Computer. Your laptop is now locked until an autho- tion (such as birth dates and social security num- rized user logs on. bers) on a laptop. When working away from the of- Password security options include using pass- fice, use resources that the computer can link to via word protection on screen savers (so a password is the Internet as the sources of confidential data. needed once the screensaver appears), using a pass- Intranets, extranets, and Web sites protected by pri- word that guards against being easily guessed (of- vate passwords are examples of such sources not lo- ten referred to as a “strong” password), changing cated on a laptop’s hard drive. If the laptop is lost or passwords regularly, and following the other secu- stolen, the client data will not be compromised. This rity suggestions that are available from the maker of is particularly true if you don’t store the passwords your operating system. If you use Microsoft Win- to such resources on the laptop itself, or if the pass- dows, you can find a list of security tips by search- words are well encrypted to prevent unauthorized ac- ing the Help menu. cess. Our thanks to Beverly Michaelis, PLF Practice DATA SECURITY Management Advisor; Dee Crocker, PLF Practice Management Advisor; and Steel Scharbach of Steel Access security alone is not sufficient protec- Scharbach Associates, LLC, for their assistance with tion for laptop computers. Power-on and screen-lock this article. The original article, “Notebook Security: passwords can be eluded by removing a laptop’s Protecting Confidential Client Information,” hard drive and reinstalling the hard drive in another October 1997, can be found at www.ssa-lawtech.com. Click on white papers, then on security issues. laptop, and neither system protects data being trans- mitted by CD, memory sticks, portable hard drives, or e-mail. Using security software and hardware se- Also see: To catch a thief: tips and tools to curity devices provides additional data security. An protect your computer investment, http:// example of security software that includes e-mail en- www.abanet.org/media/youraba/200806/ cryption is Steganos Security Suite, reviewed in the article10.html. September 2003 issue of PC World. Examples of hardware security devices are DEFCON Authentica- tor (reviewed by David Hiersekorn for the June/July OCTOBER 2004 IN BRIEF - PAGE 2 www.osbplf.org
    • Professional liability fund www.osbplf.org Malprac t i ce Pre ve n t i o n Ed u ca t i o n f o r O re g o n La w ye r s Protect Client Information From Identity Theft Did you know that in 2006 Oregon ranked as (3) Passport number or other U.S.-issued the 13th worst state for identity theft in number identification card; of victims per capita? According to the Federal (4) Financial account number, credit or debit Trade Commission, this crime costs U.S. busi- card number, in combination with any required nesses nearly $48 billion every year. As keep- security code, access code, or password that ers of confidential client information, lawyers are would permit access to a consumer’s financial particularly vulnerable. account. The Oregon Consumer Identity Theft Protec- Many law firms already comply with the tion Act (the Act) passed by the 2007 legislature Act because of the requirements of the Or- (ORS 646A.600 to 646A.628) gives businesses egon Rules of Professional Conduct. Under some guidance in the protection of sensitive in- ORPC 1.15-1, “Safekeeping Property,” a law- formation that is collected, kept, and shared. The yer has a duty to appropriately safeguard a law contains three main components that will client’s property. A client file is considered help protect sensitive information: (1) protection client property; thus the information contained of Social Security numbers; (2) general safe- in a client file must be appropriately protected. guards for data; and (3) notification of a security See Oregon Formal Eth- breach. The safeguard standards became effective ics Opinion No. 2005-125, fn 2. January 1, 2008; the remainder of the law became ORPC 1.6 requires lawyers to keep confidential effective October 1, 2007. any “information relating to the representation of Some law firms will not need to make any ad- a client.” In addition, the Act does not apply to ditional changes to their law practice to comply law firms who comply with state or federal law with the Act. In fact, many firms have already that provides greater protection to personal infor- tHis issue implemented most of the requirements because of mation, such as Title V (the privacy provisions) of august 2008 the inherently confidential nature of operating a the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. issue 105 law practice. 6801 to 6809) or the Health Insurance Portabil- ity and Accountability Act of 1996 (HIPAA) Does the Act Apply to Lawyers? (45 CFR parts 160 and 164). The new law applies to lawyers who, in the course of their practice, maintain or possess an What Does the Act Require? individual’s personal information. “Personal in- The focus of the Act is to provide businesses formation” means an individual’s unencrypted or with reasonable safeguards and procedures in unredacted first name or first initial and last name handling and disposing of personal information in combination with any one or more of the fol- and to protect the security, confidentiality, and lowing: integrity of the information. (1) Social Security number; One requirement that may be new to lawyers is that Social Security numbers must be redacted (2) Driver license number or state identifica- tion card; Continued on page 2 DISCLAIMER IN BRIEF includes claim prevention information that helps you to minimize the likelihood of being sued for legal malpractice. the material presented does not establish, report, or create the standard of care for attorneys. the articles do not represent a complete analysis of the topics presented, and readers should conduct their own appropriate research.
    • on any materials that are mailed, publicly posted, or pub- What to Do After a Security Breach licly displayed. This requirement does not apply to the use of SSNs for internal verification purposes or as required by The good news is that the Act gives law firms guidance state or federal law. Counties around the state have made on how to notify clients of a security breach. A “breach of available a UTCR Form 2.100 Affidavit that segregates per- security” is an “unauthorized acquisition of computerized sonal information from documents that are filed in court. The data that materially compromises the security, confidentiality requirement does not apply to judgments, court orders, or or integrity of personal information.” A breach of security indictments filed before October 1, 2007. can occur when a laptop or portable device is lost or stolen, or any time a computer hacker or an unauthorized person ac- If you collect any personal information, consider con- cesses personal information of a client. firming in your fee agreement or engagement letter that the information will be used only to provide legal representation If you discover that a security breach has occurred, you to the client. If your client’s case necessitates mailing docu- must immediately notify those individuals whose informa- ments that include Social Security numbers, you might also tion has been breached. You can notify clients by (1) mail; want to get the client’s written consent. (2) e-mail (if this is the usual way you communicate with your client); (3) telephone; or (4) substitute notice, in For law practices that do not currently have a security limited circumstances, involving large cost or volume, as program in place, these are the minimum requirements that specified by the Act. Whichever method of notification should be implemented to comply with the Act: you select, be sure to document your efforts. • Administrative safeguards – Identify what in- The notice must include the following information: formation the firm collects, where it is stored, and how to keep it safe; train employees in the security program; (1) a general description of the security breach; ensure that contracted service providers will protect per- (2) the approximate date the breach occurred; sonal information. (3) the type of personal information obtained as a result • Technical safeguards – Assess risks in your com- of the breach; puter network and software programs; put in place safeguards (4) your firm’s contact information; to detect, prevent, and respond to attacks or system failures; test the safeguards to make sure they work. (5) contact information for national consumer reporting • Physical safeguards – Protect against unauthor- agencies; and ized access to or use of personal information. (6) advice to the individual to report suspected identity The compliance standard for businesses with 50 or fewer theft to law enforcement, including the Federal Trade Com- employees is to have safeguards and disposal measures that mission. are “appropriate to the size and complexity of the small busi- For a sample notification letter, go to www.osbplf.org. ness, the nature and scope of its activity, and the sensitivity Under Loss Prevention, select Practice Aids and Forms, then of the personal information collected.” select Client Relations. Practitioners must dispose of personal information Notification is not required if, after an investigation or by burning, pulverizing, shredding, or erasing electronic after consultation with law enforcement agencies, you de- media. When recycling an old computer, the hard drive termine that there is no reasonable likelihood of harm to must be cleaned, destroyed, or reformatted. For infor- the client whose personal information has been breached. mation on file management, retention, and destruction, When making this assessment, consider ORPC 1.4(b), which go to www.osbplf.org. Under Loss Prevention, select requires lawyers to explain matters to cllients to the extent Practice Aids and Forms, then select File Management. necessary for them to make informed decisions. Also, if your Your security program should also include securely stor- judgment about whether to make the disclosure is impacted ing sensitive information by using passwords and encryption – because you or someone in your firm was responsible for and by securing information on portable devices such as lap- the breach – you may have a conflict due to a personal inter- tops, USB Flash Drives, and PDAs. (See “Easy to Use or est under ORPC 1.7(a)(2). You must document your determi- Easy to Lose? How to Protect Mobile Devices,” page 7.) nation in writing and retain it for five years. If you discover a breach of security affecting more than 1,000 clients, you must immediately report your notification steps to all national consumer reporting agencies. Currently, august 2008 – Page 2 www.osbplf.org
    • there are four: Equifax, TransUnion, Experian, and Innovis. Your report should include the timing, distribution, and con- tent of the notification given and the police report number, if available. Post–security breach services, such as ID TheftSmart (www.idtheftsmart.com), offer identity restoration and credit monitoring services. A PLF practice management advisor is available to meet with you to discuss your firm’s security plan and suggest other safeguards you may want to implement. You can reach Beverly Michaelis at 503-924-4178 or bev- erlym@osbplf.org; Sheila Blackford at 503-684-7421 or sheilab@osbplf.org; and Dee Crocker at 503-924-4167 or deec@osbplf.org. Kimi Nam PLF StaFF attorNey Thanks to Helen Hierschbiel, OSB Deputy General Counsel, for her assistance with this article. august 2008 – Page  www.osbplf.org
    • Identity Theft Protection PLF/OSB Resources Disaster Recovery In Brief Articles: • Managing Practice interruptions • act now to avoid disaster (May 2008) • Protecting your firm (includes Web resources) • Glb Privacy notice (tips, traps, & resources, Technology february 2006) • How to back up your Computer • document destruction (June 2005) • application service Providers • do you need to Know about HiPaa? (June 200) File Management Oregon State Bar Bulletin Articles: • file retention and destruction • the lawyer’s Guide to Mobile Computer security (november 2007) Client Relations • Metadata: Guarding against the disclosure of • notice to Clients re theft of Computer embedded information (april 2007) equipment • Metadata: danger or delight? (May 2006) Additional Resources State of Oregon’s Division of Finance and Corporate Securities (DFCS): http://www.cbs.state.or.us/dfcs/ id_theft.html. Contains sample notification letters, tips for protecting data, contact information for dfCs representatives who can present information to your firm, and other resources. Credit Reports and Credit Reporting Agencies: Consumers can obtain a free credit report once every 12 months. free annual Credit report www.annualcreditreport.com will link you to three of the four national credit reporting agencies (equifax www.equifax.com; experian www.experian.com; transunion www.transunion.com). innovis is the fourth (www.innovis.com). Federal Trade Commission: www.ftc.gov/infosecurity. Provides information for businesses about keeping information secure. includes a tutorial and related articles on protecting personal information. Department of Homeland Security’s National Strategy to Secure Cyberspace: http://www.dhs.gov/xlibrary/ assets/National_Cyberspace_Strategy.pdf. describes the roles and responsibilities of both public and private sectors in the department’s efforts to secure cyberspace. OnGuard Online: www.OnGuardOnline.gov. Gives practical tips from the federal government and technology experts on how to guard against internet fraud, secure your computer, and protect personal information. ABA Law Practice Management Section: www.abanet.org/lpm/resources/technology.shtml. Contains excellent information for lawyers on identity theft, hacking, viruses, spyware , and more. ABA Legal Technology Resource Center: www.abanet.org/tech/ltrc. Contains a comprehensive collection of technology resources and information. see the article, “to catch a thief—tips and tools to protect your computer investment,” at www.abanet.org/media/youraba/200806/article10.html, and also at www.osbplf.org. ABA’s GPSolo Technology & Practice Guide: www.abanet.org/genpractice/magazine/2006/jun/index.html. Published by the General Practice, solo & small firm division, the entire June 2006 issue (volume 2, number ) is devoted to technological issues such as mobility and security. Internal Revenue Service: www.irs.gov. irs news release 2008-88, July 10, 2008, cautions about a new wave of scams using the irs name in identity theft e-mails (phishing) involving tax refunds and economic stimulus payments. Oregon Administrative Rule 160-100-0210: www.filinginoregon.com/notary/new_notary_journal_rule.htm. this new rule, effective May 1, 2008, addresses protections for notaries and the clients they serve by helping the notaries comply with the oregon Consumer identity theft Protection act. august 2008 – Page  www.osbplf.org
    • IN BRIEF PROFESSIONAL LIABILITY FUND www.osbplf.org M ALPRACTICE A VOIDANCE N EWSLETTER WHAT TO DO ABOUT STOLEN/LOST CLIENT FILES FOR O REGON L AWYERS You leave the office. It’s a typical busy day, and you take a few files with you to work on at home. On the way, you stop at the grocery store to pick up a few items. On returning to the park- ing lot, you realize your car has been stolen. As you call the police and your insurance company to report the incident, you realize that your client files were in the car . . . If this or a similar nightmare happens to you, call the PLF for advice on how to discuss this with your client. It is important to let your client know that the file has been lost or stolen and that you will be reconstructing the file. In addition, if your file, briefcase, or laptop contained social se- curity numbers, birth dates, or other information that would allow someone to steal your client’s identity, your client will need to know in order to take the appropriate precautionary steps. THIS ISSUE If your files are lost or stolen, contact your October 2004 business insurance carrier to see whether your Issue No. 93 business policy covers you for the cost of recon- structing the file. This type of coverage is often included in your property coverage and may be referred to as Valuable Papers coverage. The property coverage of your business in- surance is also the coverage that would apply to replacement of stolen laptops, although a deduct- ible may apply. To make sure you have the level and type of coverage you want, contact your local insurance broker. A wide range of coverage limits and busi- ness coverage packages are available. Premiums vary with the amount of coverage, usually run- ning from $250 to $1,500 per year. DISCLAIMER THIS NEWSLETTER INCLUDES CLAIM PREVENTION TECHNIQUES THAT ARE DESIGNED TO MINIMIZE THE LIKELIHOOD OF BEING SUED FOR LEGAL MALPRACTICE. THE MATERIAL PRESENTED DOES NOT ESTABLISH, REPORT, OR CREATE THE STANDARD OF CARE FOR ATTORNEYS. THE ARTICLES DO NOT REPRESENT A COMPLETE ANALYSIS OF THE TOPICS PRESENTED AND READERS SHOULD CONDUCT THEIR OWN AP- PROPRIATE LEGAL RESEARCH.
    • NOTICE TO CLIENTS RE THEFT OF COMPUTER EQUIPMENT [Date] IMPORTANT NOTICE TO ALL CLIENTS RE: THEFT OF COMPUTER EQUIPMENT AND POSSIBLE BREACH OF INFORMATION Dear Clients: The purpose of this letter is to inform you that [describe event, such as: two of our laptops were stolen recently]. The theft has been reported to the authorities, our property management staff, our insurance carrier, and the three major U.S. credit bureaus. Like many law offices, we maintain information on our computer system, including our laptops. The information we store electronically includes financial data and client records. Our standard practice is to protect all electronic information by [describe your standard practice, such as password protection]. Despite these measures, there is a risk that your confidential information, including your social security number or financial account information, may have been compromised. We deeply regret any inconvenience this event may cause you. You have the right to request that credit reporting agencies place “security freezes” or “fraud alerts” in your credit file. Enclosed is important information from the Oregon Department of Justice explaining your rights as a potential victim of identity theft. More information is available on the Federal Trade Commission’s identity theft web site at www.ftc.gov/idtheft. Because this is a serious incident, we strongly encourage you to take preventative measures now to help prevent and detect any misuse of your information. As a first step, we recommend you closely monitor your financial accounts and, if you see any unauthorized activity, promptly contact your financial institution. You also may want to consider requesting a free credit report from each of the three companies. To order your free credit report, contact the Annual Credit Report Request Service: Annual Credit Report Request Service PO Box 105283 Atlanta, GA 30348-5283 www.annualcreditreport.com Telephone: 1-877-322-8228 AnnualCreditReport.com is the official clearinghouse to help consumers obtain their free credit report from each of the nationwide credit reporting agencies. Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. A victim’s personal information is sometimes held for use or shared among a group of thieves at different times. Checking your credit reports periodically can help you spot [20Jan09 Rev 1/09] PROFESSIONAL LIABILITY FUND (NOTICE TO CLIENTS RE THEFT OF COMPUTER EQUIPMENT.DOC)
    • problems and address them quickly. To protect yourself from the possibility of identity theft, Oregon law allows you to place a security freeze on your credit files. By placing a freeze, someone who fraudulently acquires your personal identifying information will not be able to use that information to open new accounts or borrow money in your name. To place a security freeze on your credit, you must contact each credit reporting agency individually by mail. For more information, please refer to the enclosed information from the Oregon Department of Justice. For detailed procedures, go to the Oregon Department of Consumer and Business Services at http://www.dfcs.oregon.gov/id_theft.html and click on How to Obtain a Security Freeze. [Optional: If you decide to freeze your credit as a precaution and do not qualify for a free security freeze, our firm will cover the costs involved in placing the freeze with each credit agency. Any charge incurred to lift or remove a freeze will be the individual client’s responsibility. Please contact (specify name) at (specify method of contact) for more information.] [[Optional: To protect you we have retained [name of identity theft company], a specialist in identity theft protection, to provide you with [specify years] year(s) of protection and restoration services, free of charge. You can enroll in the program by following the enclosed directions. Please keep this information. You will need the personal access code it contains in order to register for services. The service package that we have arranged provides these protections for you: [List specific services the client will receive]. While electronic information was lost as a result of this incident, please be assured that no paper files or documents were taken. Your client file is safe. Our standard procedure is to store client files in locked filing cabinets. Nevertheless, we are reviewing all our security measures to determine if improvements can be made. Specify how clients should contact you with questions: [Option 1: We are sending this letter to all clients affected by this loss. Due to the number of clients involved, please understand that it may be difficult for us to respond by phone to individual inquiries about the [event]. Please forward any questions you have in writing to [specify person and postal mail or e-mail address] and we will respond at the earliest possible opportunity. We regret having to inform you of this incident and we apologize for any inconvenience to you.] [Option 2: If you have further questions or concerns, contact us at this special telephone number: [specify number]. You can also check our Web site at www.ourwebsite.org for updated information. We apologize for any distress this situation has caused you. We are ready to assist you in any way.} Sincerely, [Attorney] ENC.: Oregon Department of Justice: Credit and Identity Theft (Available at: http://www.doj.state.or.us/finfraud/idtheft.shtml Directions for Enrolling in Identity Theft Protection Service (if offered) [20Jan09 Rev 1/09] PROFESSIONAL LIABILITY FUND (NOTICE TO CLIENTS RE THEFT OF COMPUTER EQUIPMENT.DOC)
    • NOTE: Visit the Oregon Division of Finance and Corporate Securities (DFCS) Web site, http://www.dfcs.oregon.gov/id_theft.html. The DFCS is responsible for enforcement of the Oregon Identity Theft Protection Act. Click on Tools for Businesses for more information on: Protecting Social Security Numbers Data Breach Notification Requirements Sample Notification Letter Protecting Data Frequently Asked Questions Additional Resources Publication: Protecting Your Personal Information – A Business Guide [20Jan09 Rev 1/09] PROFESSIONAL LIABILITY FUND (NOTICE TO CLIENTS RE THEFT OF COMPUTER EQUIPMENT.DOC)