Delayed breach notification letter from law firm raises more questions than it answers (updated)
Here’s another notification letter submitted to the California Attorney General’s Office that left me scratching my head. It’s from the law firm of Sprechman & Associates, P.A. in Miami, a firm that specializes in collections. My comments and questions are inserted in italics:
I am writing to advise you that your personally identifiable information (“Information”) may have been viewed by a former employee of Sprechman & Associates without permission. Specifically, the former employee may have viewed your name, address, date of birth, driver’s license number, and/or social security number.
“May have?” Why don’t you know? Don’t you maintain logs?
Sprechman & Associates learned of this incident in July 2012, but was unable to notify you until now because notification at that time may have interfered with a law enforcement investigation and the best known contact information for potentially affected individuals was not known until October 2012.
How did you learn of it? And when did the improper access occur, if it occurred? How long was this problem going on for? Was there any indication of misuse of anyone’s information? Did law enforcement actually ask you not to disclose this sooner or did you just make that decision on your own? If they asked you to delay notification, when did they tell you that you could go ahead and notify?
Although we cannot be sure that your Information was in fact used in an inappropriate manner, in an abundance of caution we are informing you that such viewing of your information may have occurred.
What Information May Have Been Viewed, When and By Whom?
One of our employees may have performed unauthorized searches on you. This information may have included your name, address, date of birth, driver’s license number, and social security number. We are advising you of this matter in an abundance of caution, but we stress that we cannot be sure that your Information was in fact used in an inappropriate manner. In fact, we cannot even be sure that your Information was actually viewed, but we are providing this notice out of an abundance of caution.
You can’t be sure it was viewed and/or misused, but you can’t be sure it wasn’t viewed and/or misused, right? So why aren’t you offering free credit protection and restoration services?
How Have We Responded to This Issue
Nonetheless, we certainly understand that this may be cause for concern. Additional information and support resources are available through the non-profit Identity Theft Resource Center at www.idtheftcenter.org, by calling (858) 693-7935, or via e-mail at [email protected]
Other Steps You Can Take:[…]
So you haven’t actually done anything to respond to this issue other than notify law enforcement and send out this notification letter? How about hardening your security and access to records? How about improving auditing so you can tell who’s accessed what? How about offering affected individuals some services?
If the law firm would like to provide additional information, I’ll be happy to post it or update this entry, but overall, I find their notification and response inadequate. They do provide a phone number to call if recipients have questions, but the letter isn’t even signed by an individual – only by “Notice Department.”