When people think of a data breach’s they often think of a cyber-criminal breaking into a computer system and stealing client/customer personal information. They are not all very high tech. This is an actual occurrence that recently happened:
We made an inadvertent disclosure of client’s family’s personal information (including Social Security numbers) to third parties as follows:
On Wednesday a legal assistant was printing copies from our printer to prepare a mailing with copied documents to persons in a Probate matter handled by our firm relating to an estate. During the printing and stuffing of the envelopes for the Probate matter, another attorney in our office was also using the same printer to print copies of a Judgment Information Form ("JIF") for a domestic relations matter which contained confidential information relating to this client. In stuffing the envelopes for the Probate mailing the JIF was inadvertently included and mailed to the Probate recipients.
On the following Monday we were notified by one of the Probate recipients that the mail documents they received included the unrelated JIF. We immediately notified domestic relations client of the error and called estate recipients we could reach to inform them of the error.
On Friday we sent a letter to the Probate recipients with self-addressed, stamped, return envelopes requesting that they sign a nondisclosure statement and either return the JIF to us or acknowledge that they destroyed it. We also sent an email to domestic relations client updating on our efforts to protect the domestic relations client’s confidential information. To date we have received some but not all of the nondisclosure statements back indicating they had destroyed the JIF.
Shortly thereafter we received the email from the domestic relations client, which we interpreted as a potential claim that we had committed malpractice and which requested that we provide the domestic relations client with the contact information of the persons who received the JIF.
Low tech errors can cause a firm just as many problems and exposure the firm to the same requirements and liability as a high tech data breach. Release of this information by an organization can open up the organization to violation of HIPPA, Granm-Leach-Billey Act, or other state privacy legislation that could result in law suits for damages and sanctions.