In the annals of what must be one of the most ridiculous data security incidents, a law firm employee sent a client file on an unencrypted thumb drive in the mail. The file contained Social Security information and other financial data.
Seriously?
The envelope arrived without the USB drive. The firm contacted the post office.
What happened next is most bizarre. Here’s an excerpt from the law firm’s letter notifying the state attorney general:
On or about Monday September 10th, our office sent an unencrypted electronic copy (“thumb drive”) of a client file via US Postal Service. The envelope that the thumb drive was sent in was received by the recipient, damaged and without the thumb drive enclosed. We immediately contacted the USPS to investigate. A representative from our office spoke with a representative in the Claims and Inquiries Department of the USPS in Manchester, NH and learned that all items recovered from the mail processing center are sent to her department. She reported that because this was a common occurrence, she had several buckets of thumb drives that had similarly been tom free from their envelope in the mail sorting process. She did a visual review for the USB but did not find it. She also reported that the USPS has its own internal privacy policies that would preclude an employee from actually opening any of the USBs that are recovered. Based on this information, we do not have reason to believe the information has been accessed by individuals intending to misuse it. In fact, our investigation indicates that the most likely disposition of the thumb drive was that it was destroyed in a post office mail processing machine.
Where do I start?
First, post offices are keeping “buckets of thumb drives” that have fallen out of letters? Who knew?
Second, can anyone just stop by the post office and say they lost a thumb drive and grab one out of the buckets? This would be quite the trick-or-treating for hackers.
Third, the firm was unable to locate the thumb drive in the buckets, but concluded somehow that they had no reason to believe the information had been improperly accessed. Why not? Why wasn’t the thumb drive in the buckets with all the others? In a dog-ate-it style excuse, the case gets closed with the claim that the mail machine ate it.
This case is ridiculous in every way imaginable.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.
NEWSLETTER: Subscribe to Professor Solove’s free newsletter
TWITTER: Follow Professor Solove on Twitter.