From wireless networks to phony IRS agents, attorneys must be vigilant
By Jan Pudlow
Lawyers know they have a duty to keep their clients’ information private, but in today’s high-tech world, pitfalls lurk like bogeymen behind bushes.
J.R. Phelps, director of The Florida Bar’s Law Office Management Assistance Service, shares three horror stories: client files accessed by a stranger with a laptop and wireless card, theft by a phony IRS agent, and paying a settlement to an identity thief.
Consider the recent nightmare of a lawyer in Alberta, Canada, who was shocked speechless to learn his unprotected computer server allowed access to hundreds of client files filled with personal information, such as driver’s licenses, social insurance numbers, work histories, and criminal records.
It could be an identity thief’s dream.
The lawyer’s system was accessed by a man who had just started a job in a nearby downtown building and brought his laptop to work while his new boss set up his work computer. The laptop had a wireless card, allowing it to connect to any nearby wireless access point. Most are password-protected, requiring a secret password, but that’s not what happened. After getting into the system, it invited the man to log onto one of the lawyer’s databases.
The lawyer had set up the wireless system himself and thought it was secured by an encrypted password.
Alberta’s privacy commissioner, Frank Work, ordered an investigation of what he called a “significant” breach “that sets a big precedent because everyone is going wireless these days.”
Phelps read about the Canadian catastrophe in the Edmonton Journal and exclaimed: “This could just as easily have happened in Florida!”
“One of the most important lessons to be drawn from the story is the importance of dividing the wired and wireless portions of a network into different segments, with a firewall in between,” Phelps said. “This should have prevented the hacker from accessing the wired network by breaking in through the wireless network.”
Phelps acknowledges the benefits of “a no-wires-attached-access-anywhere approach to networks. However, wireless applications have not become ubiquitous throughout the legal community for a very solid reason: risk.”
To minimize risk, Phelps offers this security advice to any law firm considering the installation of a wireless environment (Get ready to get a little technical):
“At a minimum, WPA2 encryption should be utilized. WPA2 is second-generation encryption technology, and as of March 13, 2006, all equipment using the WiFi trademark must be certified for WPA2.
“Another approach is to use VPN (virtual private network) technology. This creates another layer of networking on top of the wireless network. This additional layer is also encrypted. Because VPNs are implemented in software, they are independent of any weaknesses in the network technology, and can be used with any vendor’s network cards.”
Said Bar Ethics Counsel Elizabeth Tarbert: “Lawyers have an obligation of confidentiality, which requires that lawyers take reasonable precautions from inadvertently disclosing client information, as well as from purposefully disclosing client information.
“Lawyers also have a duty of competence, which includes keeping current with technological changes that may affect the lawyers’ clients.”
PI and ID Theft
The second cautionary tale is about a Florida lawyer who called LOMAS in April after learning the firm had recently settled a personal injury case with an individual who had just been arrested for identity theft. In its file, the firm had a copy of the person’s driver’s license using the name of the person he claimed to be.
“Unfortunately, fraudulent identification is really not that difficult to acquire,” Phelps said. “In reality, attorneys and law firms are also vulnerable to increasingly sophisticated schemes of career criminals and fraud rings. Whether it be from identity theft, stolen or intercepted data, lawyers handling fiduciary matters, and holding confidential information, such as Social Security numbers of clients and other sensitive financial data, must take extra precautions in today’s world.”
Where’s the Money?
And in the third real-life fiasco involving fraud, a law firm bookkeeper called LOMAS to report the firm had been scammed out of their month-end payroll tax deposit. Here’s how it worked, according to Phelps: The bookkeeper received a call from someone claiming to be from the IRS stating that the last month-end payroll tax had not been received. The caller insinuated that unless the IRS could track the payment electronically from her bank account on that day, there would be a significant penalty assessed.
The bogus IRS agent asked for the account number of the firm’s checking account, the bank’s routing number, and the amount of her payroll tax payment so the IRS could track the payment.
The bookkeeper figured the request for that information was logical and thought all was fine — until she opened the following month’s bank statement. An amount equal to the previous month-end payroll tax was listed as a disbursement paid to a business unknown to the firm with a notation TEL (telephone initiated entry). Her payroll tax check to the IRS cleared. The firm had been scammed.
“A key difference between checks and electronic payments is that when funds are electronically debited through the ACH (Automated Clearing House) network, the transaction is initiated by the business that is going to receive the funds, not by the person paying the bill. For example, if you pay your electric bill automatically, each month the electric company — not you — instructs the bank to have money withdrawn from your checking account.
“The bogus IRS agent utilized a TEL type of electronic payment, which the ACH network accepts. This is similar to paying something over the phone with a credit card, but instead of providing your credit card number you provide your banking account information off the bottom of your check. However, unlike other types of ACH transactions, no written approval is required and the potential for fraud is greatly increased.
“The company initiating a telephone transfer through the ACH network is required to use ‘commercially reasonable procedures’ to verify the identity of the customer. Businesses are only required to record your verbal authorization or hold off making the transfer until they send you written confirmation that you verbally authorized it. They seldom use written confirmation; they just record your phone authorization.
“In this case, they recorded enough of her conversation to make it seem she had authorized the deduction.”
What is the best way to protect yourself from this kind of fraud?
The bottom line is to promptly reconcile all bank statements as soon as possible and not just file them away.
“It is up to you to object to a questionable ACH withdrawal on your account. Your bank has nothing to do with authorizing these payments and has no way of knowing whether they are legitimate or not, until you complain.
“You have 60 days from the time your bank statement is sent to you to contest an ACH debit on your account. Moreover, your bank is not liable for fraudulent ACH activity.
“Again, ACH payments are different from other account activity. Typically, your bank is responsible for obtaining proper authorization to access your account — your ID if you visit the bank in person or your signature on a check. But ACH entries are different. By law, it is the merchant’s bank which originated the payment, and not your bank, that bears the final responsibility for any fraudulent entries.
“By law, you cannot be responsible for fraudulent charges, if you report them in time. Your best defense is to view your bank statements regularly and protect your checking account information and checkbook as carefully as you protect your credit cards. Even if you never pay a bill by phone or through automatic deduction, your bank account is vulnerable.
“Forewarned is forearmed.”