Yesterday’s blog dealt with a data breach that did not use a computer. There are many ways to compromise personal confidential information without a computer. This is a recent example of what can happen:
As with many older law firms, this firm had too many client files for its actual office space. The law firm’s office space was in large upscale multi-story office building. The office building provides additional individual tenant storage space that the firm maintained additional files under lock and key in the basement. The basement had security that prevented the general public from being able to access the storage space.
Another tenant in the building had moved out that also had storage in the basement, but had not completely cleaned out its storage space. This tenant left junk behind that the landlord wanted cleaned out prior to a new tenant moving in.
The landlord hired a cleaning service to clear out the remaining junk in the former tenant’s storage space. The landlord had given the cleaning service the ‘master keys’ to the storage spaces. The cleaning of the storage space was done over a weekend so as to not disrupt other tenants.
Soon after law firm staff went down to their storage space to retrieve a client file. Much to the staff’s surprise everything in their storage space was gone. The law firm contacted the landlord and law enforcement about the ‘break-in’ to their storage facility. Landlord staff remembered that they had hired a cleaning service recently to clean out a former tenant’s space. Turned out that there was confusion between the landlord and the cleaning service as to exactly which space was to be cleaned out. The cleaning service had used their access and mistakenly disposed of the law firm’s stored files.
In addition to current and past client files with personal confidential information, the firm also stored firm financial records, past tax returns, and other important firm operational information in this area.
Even though the landlord gave ‘verbal’ assurances that the files were ‘buried’ and/or ‘destroyed’, the law firm is now faced with ethical and client notification issues. Although the law firm may have recourse against the landlord, the law firm is ultimately responsible for the loss of client information. Low tech errors cause the same liability and notification requirements as a high tech data breach. Release of personal confidential information in your care, custody and control can open up your organization to violation of HIPPA, Granm-Leach-Billey Act, or other state privacy legislation which can result law suits for damages and sanctions.