Resources for Lawyers Who Have Experienced Theft of Client Information
1. Beverly A. Michaelis, J.D. Direct Dial 503.924.4178
Professional Liability Fund
Practice Management Advisor beverlym@osbplf.org
http://twitter.com/OreLawPracMgmt
Main 503.639.6911 – Oregon Toll Free 800.452.1639 http://www.linkedin.com/in/beverlymichaelis
www.osbplf.org
Resources for Lawyers Who Have Experienced
Theft of Client Information
This PDF includes articles and a sample client letter which can be modified as
needed.
Please call or e-mail me if you have any questions.
Beverly Michaelis
2. Professional liability fund
www.osbplf.org
Malprac t i ce Pre ve n t i o n Ed u ca t i o n f o r O re g o n La w ye r s
Easy to Use or Easy to Lose?
How to Protect Mobile Devices
Mobile devices like the BlackBerry and Palm 6. Explore Data Wiping. Research in
Treo have become indispensable tools for many Motion’s BlackBerry Enterprise Server, as an
lawyers. Compact and easy to use, these devices example, comes with a feature that wipes all data
offer quick access to calendars, contacts, e-mail, from the device’s memory once a certain num-
documents, and other sensitive personal and cli- ber of failed log-in attempts are exceeded. The
ent information. Unfortunately, the portability current version of Microsoft Exchange provides
of such devices also makes them highly prone to for a remote wipe of a lost or stolen Windows
loss or theft. If you or members of your firm use PDA. Remember that if you have regularly syn-
a PDA, smartphone, or similar device, take ap- chronized your device, the destroyed data can be
propriate steps to protect client confidentiality: easily restored to a replacement device.
1. Limit Use. Restrict the type of informa- 7. Starve the Virus. Virus attacks on
tion stored on a handheld device to reduce your handheld devices are rare but potentially dev-
exposure. astating if a compromised mobile device is
synched to a desktop or network. All the major
2. Standardize. If more than one handheld
antivirus vendors, including Symantec (Norton
device is used, everyone in the firm should use
Smartphone Security) and McAfee (McAfee
the same type of device. Do not allow outside de-
Mobile Security), offer security products de-
vices. In the event of a problem, it will be easier
signed for mobile platforms. Visit www. sy-
to implement a firm-wide solution if everyone is
mantec.com and www.mcafee.com for more
using the same product.
information.
tHis issue 3. Password Protect. Use “power-on”
8. Learn More. To learn more about mobile
august 2008 passwords. If the device is lost or stolen, data on
devices, visit resources like the PDA Learning
the device cannot be accessed without the pass-
issue 105 Center at http://palmtops.about.com/od/pda-
word.
learningcenter/PDA_Learning_Center.htm or
4. Use the Lock-out Feature. Set devices www.pdatoday.com.
to lock out users after a specified number of in-
correct log-in attempts. Use “sleep” settings to Beverly A. MichAelis
lock devices after 10 or 15 minutes of inactivity. PlF PrActice MAnAgeMent Advisor
5. Consider Encryption or Biometrics.
Products like SafeGuard PDA from Utimaco
go beyond password protection and lockouts to
protect data by using encryption and biomet-
rics. Biometrics protect data by requiring sig-
nature, voice, or fingerprint authentication. If
the device doesn’t recognize the user, it can’t
be accessed. Visit http://americas.utimaco.
com/safeguard_pda for more information.
DISCLAIMER
IN BRIEF includes claim prevention information that helps you to minimize the likelihood of being sued
for legal malpractice. the material presented does not establish, report, or create the standard of care
for attorneys. the articles do not represent a complete analysis of the topics presented, and readers
should conduct their own appropriate research.
3. IN BRIEF PROFESSIONAL LIABILITY FUND
www.osbplf.org
M ALPRACTICE A VOIDANCE N EWSLETTER
LAPTOP COMPUTERS:
PROTECTING
FOR O REGON L AWYERS
Unauthorized use of data usually
results from: (a) loss or theft of the
laptop; (b) unauthorized access to
CONFIDENTIAL CLIENT the laptop for long enough to view or
INFORMATION copy data; (c) loss or theft of data
copied to diskettes or other portable
Laptop computers present special storage devices (e.g., memory sticks,
data security risks because they are de- USB drives) for printing, backup, or
signed for mobility and are frequently data transfer; or (d) interception or
used outside the office. Some of the risks compromise of data transmitted over
associated with laptop usage are: telephone lines or the Internet.
• Loss and Theft. Laptops are These security risks cannot be elimi-
vulnerable to both human error (loss) nated, but a combination of technology
and to greed (theft). The portable tools and user awareness can reduce
nature of laptops makes them easy to laptop data security risks to a reasonable
leave in a hotel room, airport, or level.
restaurant. They are also easily stolen
and sold on the black market. National PHYSICAL SECURITY
crime statistics report that roughly
150,000 laptops were stolen in 1994, The risks of theft, unauthorized ac-
200,000 in 1995, and 275,000 in 1996. cess, or unauthorized use of data can be
Theft is growing faster than the significantly reduced by diligently ob-
number of laptop computers in use. serving the following physical security
THIS ISSUE practices:
October 2004 Theft from an office is the most
Issue No. 93 common, and airport theft the second
• Use a sturdy bag that doesn’t look
most common.
like a laptop bag to carry your laptop;
• Unauthorized Access. Laptop
• Hang the bag from your shoulder or
computers are frequently used in
keep it on the floor between your
insecure locations – conference rooms,
feet;
temporary offices, and airports, to name
a few. In most cases, the laptop is used • Use locking cables or burglar alarms;
in a conference room or other public
area where the laptop user is not well • Never leave the laptop unattended or
known to others in the area. This out of your sight in a public place;
situation makes it easy for an • Don’t check the laptop as luggage or
unauthorized user to view or use the in a coatroom;
laptop without looking suspicious. Be
especially careful if you are using a • Don’t store the laptop in airports,
high-quality large screen, as this allows airplanes, trains, or subways;
a much wider viewing angle.
• Keep the laptop with you when in
• Unauthorized Use of Data. taxis, cars, or other transportation;
DISCLAIMER
THIS NEWSLETTER INCLUDES CLAIM PREVENTION TECHNIQUES THAT ARE DESIGNED TO MINIMIZE THE LIKELIHOOD OF BEING SUED FOR
LEGAL MALPRACTICE. THE MATERIAL PRESENTED DOES NOT ESTABLISH, REPORT, OR CREATE THE STANDARD OF CARE FOR ATTORNEYS.
THE ARTICLES DO NOT REPRESENT A COMPLETE ANALYSIS OF THE TOPICS PRESENTED AND READERS SHOULD CONDUCT THEIR OWN AP-
PROPRIATE LEGAL RESEARCH.
4. • Watch the laptop as it goes through airport 2003 issue of Law Office Computing) and MemoPass.
metal detectors (“snatch and grab” thefts are These devices create and store personal profiles for
common); and the authorized user through a USB port or by access
card.
• Use locking or even unlocked drawers or
cabinets to store laptop computers when you Creating a mobile system can backfire if the
leave an office, conference room, or hotel room. system is not secure. This is a very important con-
sideration when using a wireless connection. Wire-
ACCESS SECURITY less laptops and computers have wireless adapters
and wireless access ports that enable them to con-
The second line of defense against laptop theft nect to your computer network. Unfortunately, these
or unauthorized use of data is access security. If a wireless access ports transmit radio signals continu-
laptop computer is lost, stolen, or otherwise outside ously. Since only about one percent of wireless us-
the control of its owner, data remains secure if an ers change the vendor’s default user name and con-
unauthorized person is prevented from turning the figurations, 99 percent of these wireless access
computer on and using it. points are highly insecure. So if you are using a
The simplest way to reduce access to your com- wireless network, don’t rely on the default settings
puter data is to log off of the computer when you are of your laptop to protect you. Check with your wire-
not able to stay near it, and to take the computer less vendor or consult with an expert about how to
with you. Since this option is not always practical, properly secure your wireless system.
you can also protect the data by using the lock com- Last, but not least, laptop users can secure data
puter function of the computer. Simply hit Ctrl-Alt- by being selective about what they store on the
Delete while your computer is on, then select Lock laptop. If possible, avoid storing personal informa-
Computer. Your laptop is now locked until an autho- tion (such as birth dates and social security num-
rized user logs on. bers) on a laptop. When working away from the of-
Password security options include using pass- fice, use resources that the computer can link to via
word protection on screen savers (so a password is the Internet as the sources of confidential data.
needed once the screensaver appears), using a pass- Intranets, extranets, and Web sites protected by pri-
word that guards against being easily guessed (of- vate passwords are examples of such sources not lo-
ten referred to as a “strong” password), changing cated on a laptop’s hard drive. If the laptop is lost or
passwords regularly, and following the other secu- stolen, the client data will not be compromised. This
rity suggestions that are available from the maker of is particularly true if you don’t store the passwords
your operating system. If you use Microsoft Win- to such resources on the laptop itself, or if the pass-
dows, you can find a list of security tips by search- words are well encrypted to prevent unauthorized ac-
ing the Help menu. cess.
Our thanks to Beverly Michaelis, PLF Practice
DATA SECURITY Management Advisor; Dee Crocker, PLF Practice
Management Advisor; and Steel Scharbach of Steel
Access security alone is not sufficient protec- Scharbach Associates, LLC, for their assistance with
tion for laptop computers. Power-on and screen-lock this article. The original article, “Notebook Security:
passwords can be eluded by removing a laptop’s Protecting Confidential Client Information,”
hard drive and reinstalling the hard drive in another October 1997, can be found at www.ssa-lawtech.com.
Click on white papers, then on security issues.
laptop, and neither system protects data being trans-
mitted by CD, memory sticks, portable hard drives,
or e-mail. Using security software and hardware se- Also see: To catch a thief: tips and tools to
curity devices provides additional data security. An protect your computer investment, http://
example of security software that includes e-mail en- www.abanet.org/media/youraba/200806/
cryption is Steganos Security Suite, reviewed in the article10.html.
September 2003 issue of PC World. Examples of
hardware security devices are DEFCON Authentica-
tor (reviewed by David Hiersekorn for the June/July
OCTOBER 2004 IN BRIEF - PAGE 2 www.osbplf.org
5. Professional liability fund
www.osbplf.org
Malprac t i ce Pre ve n t i o n Ed u ca t i o n f o r O re g o n La w ye r s
Protect Client Information From Identity Theft
Did you know that in 2006 Oregon ranked as (3) Passport number or other U.S.-issued
the 13th worst state for identity theft in number identification card;
of victims per capita? According to the Federal (4) Financial account number, credit or debit
Trade Commission, this crime costs U.S. busi- card number, in combination with any required
nesses nearly $48 billion every year. As keep- security code, access code, or password that
ers of confidential client information, lawyers are would permit access to a consumer’s financial
particularly vulnerable. account.
The Oregon Consumer Identity Theft Protec- Many law firms already comply with the
tion Act (the Act) passed by the 2007 legislature Act because of the requirements of the Or-
(ORS 646A.600 to 646A.628) gives businesses egon Rules of Professional Conduct. Under
some guidance in the protection of sensitive in- ORPC 1.15-1, “Safekeeping Property,” a law-
formation that is collected, kept, and shared. The yer has a duty to appropriately safeguard a
law contains three main components that will client’s property. A client file is considered
help protect sensitive information: (1) protection client property; thus the information contained
of Social Security numbers; (2) general safe- in a client file must be appropriately protected.
guards for data; and (3) notification of a security See Oregon Formal Eth-
breach. The safeguard standards became effective ics Opinion No. 2005-125, fn 2.
January 1, 2008; the remainder of the law became ORPC 1.6 requires lawyers to keep confidential
effective October 1, 2007. any “information relating to the representation of
Some law firms will not need to make any ad- a client.” In addition, the Act does not apply to
ditional changes to their law practice to comply law firms who comply with state or federal law
with the Act. In fact, many firms have already that provides greater protection to personal infor-
tHis issue
implemented most of the requirements because of mation, such as Title V (the privacy provisions) of
august 2008
the inherently confidential nature of operating a the Gramm-Leach-Bliley Act of 1999 (15 U.S.C.
issue 105 law practice. 6801 to 6809) or the Health Insurance Portabil-
ity and Accountability Act of 1996 (HIPAA)
Does the Act Apply to Lawyers? (45 CFR parts 160 and 164).
The new law applies to lawyers who, in the
course of their practice, maintain or possess an
What Does the Act Require?
individual’s personal information. “Personal in- The focus of the Act is to provide businesses
formation” means an individual’s unencrypted or with reasonable safeguards and procedures in
unredacted first name or first initial and last name handling and disposing of personal information
in combination with any one or more of the fol- and to protect the security, confidentiality, and
lowing: integrity of the information.
(1) Social Security number; One requirement that may be new to lawyers
is that Social Security numbers must be redacted
(2) Driver license number or state identifica-
tion card; Continued on page 2
DISCLAIMER
IN BRIEF includes claim prevention information that helps you to minimize the likelihood of being sued
for legal malpractice. the material presented does not establish, report, or create the standard of care
for attorneys. the articles do not represent a complete analysis of the topics presented, and readers
should conduct their own appropriate research.
6. on any materials that are mailed, publicly posted, or pub- What to Do After a Security Breach
licly displayed. This requirement does not apply to the use
of SSNs for internal verification purposes or as required by The good news is that the Act gives law firms guidance
state or federal law. Counties around the state have made on how to notify clients of a security breach. A “breach of
available a UTCR Form 2.100 Affidavit that segregates per- security” is an “unauthorized acquisition of computerized
sonal information from documents that are filed in court. The data that materially compromises the security, confidentiality
requirement does not apply to judgments, court orders, or or integrity of personal information.” A breach of security
indictments filed before October 1, 2007. can occur when a laptop or portable device is lost or stolen,
or any time a computer hacker or an unauthorized person ac-
If you collect any personal information, consider con- cesses personal information of a client.
firming in your fee agreement or engagement letter that the
information will be used only to provide legal representation If you discover that a security breach has occurred, you
to the client. If your client’s case necessitates mailing docu- must immediately notify those individuals whose informa-
ments that include Social Security numbers, you might also tion has been breached. You can notify clients by (1) mail;
want to get the client’s written consent. (2) e-mail (if this is the usual way you communicate with
your client); (3) telephone; or (4) substitute notice, in
For law practices that do not currently have a security limited circumstances, involving large cost or volume, as
program in place, these are the minimum requirements that specified by the Act. Whichever method of notification
should be implemented to comply with the Act: you select, be sure to document your efforts.
• Administrative safeguards – Identify what in- The notice must include the following information:
formation the firm collects, where it is stored, and how
to keep it safe; train employees in the security program; (1) a general description of the security breach;
ensure that contracted service providers will protect per- (2) the approximate date the breach occurred;
sonal information.
(3) the type of personal information obtained as a result
• Technical safeguards – Assess risks in your com- of the breach;
puter network and software programs; put in place safeguards
(4) your firm’s contact information;
to detect, prevent, and respond to attacks or system failures;
test the safeguards to make sure they work. (5) contact information for national consumer reporting
• Physical safeguards – Protect against unauthor-
agencies; and
ized access to or use of personal information. (6) advice to the individual to report suspected identity
The compliance standard for businesses with 50 or fewer theft to law enforcement, including the Federal Trade Com-
employees is to have safeguards and disposal measures that mission.
are “appropriate to the size and complexity of the small busi- For a sample notification letter, go to www.osbplf.org.
ness, the nature and scope of its activity, and the sensitivity Under Loss Prevention, select Practice Aids and Forms, then
of the personal information collected.” select Client Relations.
Practitioners must dispose of personal information Notification is not required if, after an investigation or
by burning, pulverizing, shredding, or erasing electronic after consultation with law enforcement agencies, you de-
media. When recycling an old computer, the hard drive termine that there is no reasonable likelihood of harm to
must be cleaned, destroyed, or reformatted. For infor- the client whose personal information has been breached.
mation on file management, retention, and destruction, When making this assessment, consider ORPC 1.4(b), which
go to www.osbplf.org. Under Loss Prevention, select requires lawyers to explain matters to cllients to the extent
Practice Aids and Forms, then select File Management. necessary for them to make informed decisions. Also, if your
Your security program should also include securely stor- judgment about whether to make the disclosure is impacted
ing sensitive information by using passwords and encryption – because you or someone in your firm was responsible for
and by securing information on portable devices such as lap- the breach – you may have a conflict due to a personal inter-
tops, USB Flash Drives, and PDAs. (See “Easy to Use or est under ORPC 1.7(a)(2). You must document your determi-
Easy to Lose? How to Protect Mobile Devices,” page 7.) nation in writing and retain it for five years.
If you discover a breach of security affecting more than
1,000 clients, you must immediately report your notification
steps to all national consumer reporting agencies. Currently,
august 2008 – Page 2 www.osbplf.org
7. there are four: Equifax, TransUnion, Experian, and Innovis.
Your report should include the timing, distribution, and con-
tent of the notification given and the police report number, if
available.
Post–security breach services, such as ID TheftSmart
(www.idtheftsmart.com), offer identity restoration and
credit monitoring services.
A PLF practice management advisor is available to
meet with you to discuss your firm’s security plan and
suggest other safeguards you may want to implement.
You can reach Beverly Michaelis at 503-924-4178 or bev-
erlym@osbplf.org; Sheila Blackford at 503-684-7421 or
sheilab@osbplf.org; and Dee Crocker at 503-924-4167 or
deec@osbplf.org.
Kimi Nam
PLF StaFF attorNey
Thanks to Helen Hierschbiel, OSB Deputy General Counsel,
for her assistance with this article.
august 2008 – Page www.osbplf.org
8. Identity Theft Protection
PLF/OSB Resources
Disaster Recovery In Brief Articles:
• Managing Practice interruptions • act now to avoid disaster (May 2008)
• Protecting your firm (includes Web resources) • Glb Privacy notice (tips, traps, resources,
Technology february 2006)
• How to back up your Computer • document destruction (June 2005)
• application service Providers • do you need to Know about HiPaa? (June 200)
File Management Oregon State Bar Bulletin Articles:
• file retention and destruction • the lawyer’s Guide to Mobile Computer security
(november 2007)
Client Relations • Metadata: Guarding against the disclosure of
• notice to Clients re theft of Computer embedded information (april 2007)
equipment • Metadata: danger or delight? (May 2006)
Additional Resources
State of Oregon’s Division of Finance and Corporate Securities (DFCS): http://www.cbs.state.or.us/dfcs/
id_theft.html. Contains sample notification letters, tips for protecting data, contact information for dfCs
representatives who can present information to your firm, and other resources.
Credit Reports and Credit Reporting Agencies: Consumers can obtain a free credit report once every 12 months.
free annual Credit report www.annualcreditreport.com will link you to three of the four national credit reporting
agencies (equifax www.equifax.com; experian www.experian.com; transunion www.transunion.com). innovis
is the fourth (www.innovis.com).
Federal Trade Commission: www.ftc.gov/infosecurity. Provides information for businesses about keeping
information secure. includes a tutorial and related articles on protecting personal information.
Department of Homeland Security’s National Strategy to Secure Cyberspace: http://www.dhs.gov/xlibrary/
assets/National_Cyberspace_Strategy.pdf. describes the roles and responsibilities of both public and private
sectors in the department’s efforts to secure cyberspace.
OnGuard Online: www.OnGuardOnline.gov. Gives practical tips from the federal government and technology
experts on how to guard against internet fraud, secure your computer, and protect personal information.
ABA Law Practice Management Section: www.abanet.org/lpm/resources/technology.shtml. Contains
excellent information for lawyers on identity theft, hacking, viruses, spyware , and more.
ABA Legal Technology Resource Center: www.abanet.org/tech/ltrc. Contains a comprehensive collection of
technology resources and information. see the article, “to catch a thief—tips and tools to protect your computer
investment,” at www.abanet.org/media/youraba/200806/article10.html, and also at www.osbplf.org.
ABA’s GPSolo Technology Practice Guide: www.abanet.org/genpractice/magazine/2006/jun/index.html.
Published by the General Practice, solo small firm division, the entire June 2006 issue (volume 2, number )
is devoted to technological issues such as mobility and security.
Internal Revenue Service: www.irs.gov. irs news release 2008-88, July 10, 2008, cautions about a new wave of scams
using the irs name in identity theft e-mails (phishing) involving tax refunds and economic stimulus payments.
Oregon Administrative Rule 160-100-0210: www.filinginoregon.com/notary/new_notary_journal_rule.htm.
this new rule, effective May 1, 2008, addresses protections for notaries and the clients they serve by helping the
notaries comply with the oregon Consumer identity theft Protection act.
august 2008 – Page www.osbplf.org
9. IN BRIEF PROFESSIONAL LIABILITY FUND
www.osbplf.org
M ALPRACTICE A VOIDANCE N EWSLETTER
WHAT TO DO ABOUT
STOLEN/LOST CLIENT FILES
FOR O REGON L AWYERS
You leave the office. It’s a typical busy day,
and you take a few files with you to work on at
home. On the way, you stop at the grocery store
to pick up a few items. On returning to the park-
ing lot, you realize your car has been stolen. As
you call the police and your insurance company
to report the incident, you realize that your client
files were in the car . . .
If this or a similar nightmare happens to you,
call the PLF for advice on how to discuss this
with your client. It is important to let your client
know that the file has been lost or stolen and that
you will be reconstructing the file. In addition, if
your file, briefcase, or laptop contained social se-
curity numbers, birth dates, or other information
that would allow someone to steal your client’s
identity, your client will need to know in order to
take the appropriate precautionary steps.
THIS ISSUE If your files are lost or stolen, contact your
October 2004 business insurance carrier to see whether your
Issue No. 93
business policy covers you for the cost of recon-
structing the file. This type of coverage is often
included in your property coverage and may be
referred to as Valuable Papers coverage.
The property coverage of your business in-
surance is also the coverage that would apply to
replacement of stolen laptops, although a deduct-
ible may apply.
To make sure you have the level and type of
coverage you want, contact your local insurance
broker. A wide range of coverage limits and busi-
ness coverage packages are available. Premiums
vary with the amount of coverage, usually run-
ning from $250 to $1,500 per year.
DISCLAIMER
THIS NEWSLETTER INCLUDES CLAIM PREVENTION TECHNIQUES THAT ARE DESIGNED TO MINIMIZE THE LIKELIHOOD OF BEING SUED FOR
LEGAL MALPRACTICE. THE MATERIAL PRESENTED DOES NOT ESTABLISH, REPORT, OR CREATE THE STANDARD OF CARE FOR ATTORNEYS.
THE ARTICLES DO NOT REPRESENT A COMPLETE ANALYSIS OF THE TOPICS PRESENTED AND READERS SHOULD CONDUCT THEIR OWN AP-
PROPRIATE LEGAL RESEARCH.
10. NOTICE TO CLIENTS RE THEFT OF COMPUTER EQUIPMENT
[Date]
IMPORTANT NOTICE TO ALL CLIENTS
RE: THEFT OF COMPUTER EQUIPMENT AND POSSIBLE BREACH OF INFORMATION
Dear Clients:
The purpose of this letter is to inform you that [describe event, such as: two of our laptops were
stolen recently]. The theft has been reported to the authorities, our property management staff,
our insurance carrier, and the three major U.S. credit bureaus.
Like many law offices, we maintain information on our computer system, including our laptops.
The information we store electronically includes financial data and client records. Our standard
practice is to protect all electronic information by [describe your standard practice, such as
password protection]. Despite these measures, there is a risk that your confidential information,
including your social security number or financial account information, may have been
compromised. We deeply regret any inconvenience this event may cause you.
You have the right to request that credit reporting agencies place “security freezes” or “fraud
alerts” in your credit file. Enclosed is important information from the Oregon Department
of Justice explaining your rights as a potential victim of identity theft. More information is
available on the Federal Trade Commission’s identity theft web site at www.ftc.gov/idtheft.
Because this is a serious incident, we strongly encourage you to take preventative measures
now to help prevent and detect any misuse of your information.
As a first step, we recommend you closely monitor your financial accounts and, if you
see any unauthorized activity, promptly contact your financial institution.
You also may want to consider requesting a free credit report from each of the three
companies. To order your free credit report, contact the Annual Credit Report Request Service:
Annual Credit Report Request Service
PO Box 105283
Atlanta, GA 30348-5283
www.annualcreditreport.com
Telephone: 1-877-322-8228
AnnualCreditReport.com is the official clearinghouse to help consumers obtain their free credit
report from each of the nationwide credit reporting agencies.
Even if you do not find any suspicious activity on your initial credit reports, the Federal
Trade Commission (FTC) recommends that you check your credit reports periodically. A
victim’s personal information is sometimes held for use or shared among a group of
thieves at different times. Checking your credit reports periodically can help you spot
[20Jan09 Rev 1/09] PROFESSIONAL LIABILITY FUND (NOTICE TO CLIENTS RE THEFT OF COMPUTER EQUIPMENT.DOC)
11. problems and address them quickly.
To protect yourself from the possibility of identity theft, Oregon law allows you to place a
security freeze on your credit files. By placing a freeze, someone who fraudulently
acquires your personal identifying information will not be able to use that information to
open new accounts or borrow money in your name. To place a security freeze on your credit,
you must contact each credit reporting agency individually by mail. For more information,
please refer to the enclosed information from the Oregon Department of Justice. For detailed
procedures, go to the Oregon Department of Consumer and Business Services at
http://www.dfcs.oregon.gov/id_theft.html and click on How to Obtain a Security Freeze.
[Optional: If you decide to freeze your credit as a precaution and do not qualify for a free
security freeze, our firm will cover the costs involved in placing the freeze with each credit
agency. Any charge incurred to lift or remove a freeze will be the individual client’s
responsibility. Please contact (specify name) at (specify method of contact) for more
information.]
[[Optional: To protect you we have retained [name of identity theft company], a specialist in
identity theft protection, to provide you with [specify years] year(s) of protection and restoration
services, free of charge. You can enroll in the program by following the enclosed directions.
Please keep this information. You will need the personal access code it contains in order to
register for services. The service package that we have arranged provides these protections for
you: [List specific services the client will receive].
While electronic information was lost as a result of this incident, please be assured that no
paper files or documents were taken. Your client file is safe. Our standard procedure is to store
client files in locked filing cabinets. Nevertheless, we are reviewing all our security measures to
determine if improvements can be made.
Specify how clients should contact you with questions:
[Option 1: We are sending this letter to all clients affected by this loss. Due to the number of
clients involved, please understand that it may be difficult for us to respond by phone to
individual inquiries about the [event]. Please forward any questions you have in writing to
[specify person and postal mail or e-mail address] and we will respond at the earliest possible
opportunity. We regret having to inform you of this incident and we apologize for any
inconvenience to you.]
[Option 2: If you have further questions or concerns, contact us at this special telephone
number: [specify number]. You can also check our Web site at www.ourwebsite.org for
updated information. We apologize for any distress this situation has caused you. We are
ready to assist you in any way.}
Sincerely,
[Attorney]
ENC.: Oregon Department of Justice: Credit and Identity Theft (Available at:
http://www.doj.state.or.us/finfraud/idtheft.shtml
Directions for Enrolling in Identity Theft Protection Service (if offered)
[20Jan09 Rev 1/09] PROFESSIONAL LIABILITY FUND (NOTICE TO CLIENTS RE THEFT OF COMPUTER EQUIPMENT.DOC)
12. NOTE: Visit the Oregon Division of Finance and Corporate Securities (DFCS) Web site,
http://www.dfcs.oregon.gov/id_theft.html. The DFCS is responsible for enforcement of the
Oregon Identity Theft Protection Act. Click on Tools for Businesses for more information on:
Protecting Social Security Numbers
Data Breach Notification Requirements
Sample Notification Letter
Protecting Data
Frequently Asked Questions
Additional Resources
Publication: Protecting Your Personal Information – A Business Guide
[20Jan09 Rev 1/09] PROFESSIONAL LIABILITY FUND (NOTICE TO CLIENTS RE THEFT OF COMPUTER EQUIPMENT.DOC)