As many as 500 current and former employees of San Francisco's Howard, Rice, Nemerovski, Canady, Falk & Rabkin may be at risk of identity theft after a laptop computer containing confidential employee pension plan information was stolen from an auditor.
The firm sent a notice to current and former partners, associates and staff in mid-August alerting them of the security breach.
"Given the circumstances of the theft, we think it is highly unlikely that the laptop was purloined because the thief knew that Howard, Rice employee names and Social Security numbers were resident on the computer," the letter stated. "Nonetheless, we want to treat this potential information breach with utmost caution."
California law requires all businesses to notify customers and employees if there is a danger that their personal data might have been compromised.
The laptop, owned by an employee of accounting firm Morris, Davis & Chan in Oakland, contained thousands of documents, including three spreadsheets with the name and Social Security number of all active and terminated Howard, Rice employees with a remaining balance in the firm's pension plans, as well as 401(k) and profit-sharing account information.
The computer was taken from the trunk of the auditor's car, parked in a public lot.
Howard, Rice executive director Michelle Johnson said the firm sent the notice to everyone as soon as the firm found out about the theft and has offered free credit reporting for anyone whose information had been on the stolen computer.
"This wasn't a theft of our property. All we know is that the computer was stolen, and so far we are not aware of anybody having their information compromised," Johnson said.
On Aug. 28, the firm sent an update saying that the information on the computer had not been encrypted but had been password protected.
But Beth Givens, director of the Privacy Rights Clearinghouse, a San Diego advocacy group, said passwords don't guarantee against identity theft.
"Password protection is not going to protect individuals from an experienced and knowledgeable thief," Givens said.
Data-security breaches involving stolen laptops are becoming more prevalent, Givens said. And law firms are not immune to such security breaches, she added.
"There have been security breaches involving major accounting firms and, frankly, they should know better. And the same goes with law firms," Givens said.
She said auditing firms and other corporate third parties are a key vulnerability when it comes to keeping customers' and employees' data secure.
Chevron reported last month that many of its employees' personal information had been contained on a laptop stolen from the company's accounting firm.
Givens said all businesses, including law firms, should have a company policy requiring third parties to store all data in an encrypted form.
"If the data had been encrypted, this would have been a non-issue," she noted.