In this issue of Habeas Hard Drive:
- Item: A lawyer has opted out of LinkedIn because LinkedIn appears to know a little too much about the laywer’s practice.
- Feature Story: FTC now coming down on companies that breach customer data. (Yes, it was an inadvertent breach!)
- Item from the FBI: So you retire after years of stellar service as an attorney. Suddenly “you” (your stolen professional identity) is practicing at a fake law firm.
LinkedIn to DC Attorney: Meet Your Confidential Client, Mr. X
We picked this up in a comment that was posted on one of the ABA newsletter articles. A reader using the the handle DC Attorney says (s)he has deleted the LinkedIn account because of the following creepy experience: “…I found one of my confidential client’s names listed as a suggested connection… we’re not in the same industries, and he’s not a lawyer—except that he was in my AOL address book, and I was in his GMail address book.”
It’s not just LinkedIn that’s probing this guy or gal’s life. Note the participation of Gmal and AOL. DC attorney says (s)he asked the client whether the connection had been revealed on his end. Client said no. DC Attorney also notes that “This is an issue for attorneys with confidential clients or witnesses, as well as doctors who correspond by email with patients, or even law enforcement. It’s alarming.”
We concur, and we remind you that nothing is free. The price for social networking is your confidential information. Period. The end.
FTC Comes Down on Data-Breaching Companies
The Federal Trade Commission (FTC) finalized settlements last month against two firms that collect and retain personal and confidential customer information. These rulings are a wake-up call for business of any size that stores confidential or personal information.
The FTC decisions and orders were against Checknet, a Provo, Utah, debt collection firm, and Franklin Toyota/Scion, a Statesboro, Georgia, car dealership. These two entities inadvertently exposed confidential personal data belonging to thousands of consumers.
The apparent culprit: peer-to-peer file-sharing software typically used for sharing photos, music, videos and other entertainment content.
Explanation of how this can happen to follow shortly.
In it’s ruling, the FTC required the companies to put in place a detailed security plan, data protection systems, and regular staff training every two years for twenty years (emphasis ours). The commission specified that qualified security auditors will have to perform the work.
We’re guessing the twenty-year “sentence” shocked the management of these two companies, because in our experience, non-technical managers grossly underestimate the risk to their information assets.
Without having been on the forensic team, here is our interpretation of how these breaches occurred.
Peer-to-peer software applications are designed to make it fast and easy for anyone to grab files on a computer or network. Peer-to-peer networks have no central server. They are driven more by “the crowd” of users, than by the creator of the software. Names you may have heard include BitTorrent, Grokster, and eDonkey.
The sole purpose of peer-to-peer software is to seek and share files. Once installed, it’s somewhat automated, and it makes whatever it finds available to the world. Virtually anyone who’s on a compatible peer-to-peer network can grab, view, and re-share those files.
Once the toothpaste is out of the tube, it’s out. It’s impossible to recall or even locate all the copies of files that have been shared, shared again, and re-shared.
The FTC found that customer date belonging to Checknet and Franklin Toyota/Scion had been shared via peer-to-peer applications. It further found that employees had take work home with them.
It’s common for peer-to-peer software to be present on home computers. Many times an innocent and well-intentioned staff member will download entertainment content on the same home computer also used to do work for the employer. The result is a de facto “co-mingling” of work data with personal entertainment content.
It appears in one or both of these cases that confidential customer data taken home on a USB“thumb” drive was compromised when the external drive was detected by peer-to-peer software. The P2P program did its work perfectly — finding and sharing the confidential customer files.
The auto industry press that reported the rulings seem to have missed part of the point. They warned auto dealers that their IT people need to be on the look-out for peer-to-peer applications, and should un-install them. This is a dangerous misunderstanding of the ruling.
It is clear that the Commissions ruling went far beyond warning these two firms about peer-to-peer software dangers on staff member’s home computers. The FTC clearly sent a warning to all types of business about the dangers of poor data security policies, poor system security, and poor staff security training. The commission also specifically required that certified information security auditors be hired for twenty years by each firm.
We’d like to add that information security practitioners are not the IT guys. They have a separate focus from IT personnel. This important distinction was not lost on the FTC, but it is lost –quite understandably sometimes — on non-technical management personnel who tend for efficiency’s sake to lump all technical functions together under the auspices of the “computer guys.”
Here is the link to the case documents:http://www.ftc.gov/opa/2012/06/epn-franklin.shtm
From the FBI: Lawyers’ Identities Being Used for Fake Websites Solicitations
A recent scam has surfaced in which the identify of a Texas attorney, who had not practiced in years, was used to set up a fake law firm website using the attorney’s maiden name, former office address, and portions of her professional biography. Other attorneys have complained about the use of their names and professional information to solicit legal work. All attorneys should be on the alert to this scam. If you become aware of the same or a similar situation involving your name and/or law firm, you should immediately report the incident to local authorities, your state Bar, and the FBI at the Internet Crime Complaint Center. Additionally, be sure to closely monitor your credit report or bank accounts to ensure that your identity is not the only thing being stolen. If you have been a victim of an Internet scam or have received an e-mail that you believe was an attempted scam, please file a complaint at The FBI Internet Crimes and Complaint Center (IC3). Read more here: http://www.ic3.gov/media/2012/120914.a