Identity theft, via stored legal documents

Status
Not open for further replies.
N

Natey

New Member
Many attorneys appear to request financial documents (tax returns, pay statements, bank and retirement account statements, etc) via e-mail.
They use hotmail, gmail, yahoo, aol, etc email accounts to receive these documents.
If anyone should hack into their (attorney) email account, the availability of those documents poses a serious identity theft issue for their clients. And I doubt an attorney would ever know someone hacked into his email account and copied all his documents and logged out.
Google the issue of hacked email accounts, and you will see many people trying to get their accounts back; but that's only obvious if the hacker changed the password. Most hackers who go after financial info may choose to leave the account the way they found it, to not raise any suspicions that the account was compromised.

Banks and other financial institutions go to great lengths to protect financial information. What steps does the Legal community take in protecting those documents of their clients?
 
Natey said:
Banks and other financial institutions go to great lengths to protect financial information. What steps does the Legal community take in protecting those documents of their clients?
Click to expand...

Ok, thelawprofessor, that's a good question for you. :)
 
Natey said:
They use hotmail, gmail, yahoo, aol, etc email accounts to receive these documents.
If anyone should hack into their (attorney) email account, the availability of those documents poses a serious identity theft issue for their clients. And I doubt an attorney would ever know someone hacked into his email account and copied all his documents and logged out.
Google the issue of hacked email accounts, and you will see many people trying to get their accounts back; but that's only obvious if the hacker changed the password. Most hackers who go after financial info may choose to leave the account the way they found it, to not raise any suspicions that the account was compromised.

Banks and other financial institutions go to great lengths to protect financial information. What steps does the Legal community take in protecting those documents of their clients?
Click to expand...
There is a misconception as to what type of "hacking" typically takes place when people hear claims that their hotmail or gmail account was hacked. 99.9999% of the time it isn't Microsoft or Google who had their server's hacked. It's typically the good old fashion phishing attempts that result in an individual's email account being accessed without their authorization and without any liability on the part of the email service provider. I'm guessing it probably happens much more often on private email accounts than those run by these corporations - you'll never hear about the multitudes of private email hacking.

So what is phishing? It's a way to fool a person into giving up their password with or without their knowledge. It could be fake emails from a company that a person clicks and goes to another website that looks identical to the one they typically will use. Their password may be stored and given up, they may be prompted to enter their account information (which is then stored), etc. It could be someone who knows the email address of another and is simply using their birthday, address or childrens' birthdays to break in. Most of the large companies have security measures that block attempts after a few tries. They also have IP address checks and can block attempts from unusual IP addresses.

There may be other reasons why not to use gmail or hotmail for email, but I'd hardly say that they are insecure and unreliable. It just appears more unprofessional than others. In fact, many offices actually use gmail for their email except use it to provide email to and from their domain and with a greater degree of spam checking.
 
I don't know of many lawyers that use those insecure forms of electronic communication.

That said, the choice to respond to those email accounts is ultimately the senders.

You can always fax the information, overnight courier it, US mail it, or even hand deliver it.
 
army judge said:
I don't know of many lawyers that use those insecure forms of electronic communication.

That said, the choice to respond to those email accounts is ultimately the senders.

You can always fax the information, overnight courier it, US mail it, or even hand deliver it.
Click to expand...
Good point - it does matter what they are sending. In some instances encryption is used and there are a myriad of products in the market that deal with any security requirements and authentication, such as electronic signatures. My point was just addressing the specific assumption that email from a private domain is secure while email using Google's Gmail is less secure.
 
thelawprofessor said:
Good point - it does matter what they are sending. In some instances encryption is used and there are a myriad of products in the market that deal with any security requirements and authentication, such as electronic signatures. My point was just addressing the specific assumption that email from a private domain is secure while email using Google's Gmail is less secure.
Click to expand...


I totally agree, Professor.

Google, MicroSoft, and Yahoo have no interest in stealing your identity.

They simply want to know your likes so they can bombard you with advertising.
 
Attorneys often have "Law", "AtLaw", "attorney", "Atty", etc. as part of their e-mail names, so they are not too hard for hackers to spot. And there are companies that actually sell lawyer mailing lists, that include their e-mail addresses.
And many attorneys do send/receive financial docs via e-mail, especially the younger ones who often have a Facebook or LinkedIn account.
Plaintiff P1 was sending and receiving financial docs from Attorney A1 on gmail (actual names substituted). Defendant D1 (hotmail) was also sending financial statements to Attorney A2 (on yahoo).
A1 was not familiar with handling .zip files, and hence, password-protected zip files. No encryption of any of those docs at all; they were all plain JPG and PDF email attachments. Looks like gmail auto-stores/archived those in its Google Docs archives of the respective accounts in the Cloud. P1 was unaware of this.
The emails of A1 were also being copied to his paralegal's account. If any of those email accounts are compromised, it will defeat all the security measures the original financial institutions had put in place to protect said information.
A chain is only as good as its weakest link.

One example of a compromise that occurred:
http://blog.cloudflare.com/post-mortem-todays-attack-apparent-google-app

Targeted attacks (via phishing):
http://www.foxnews.com/tech/2011/06/01/gmail-compromised-chinese-hackers-google-says/

When things are stored in the Cloud, there is no guarantee that they are physically located in the U.S.
If they are overseas, there may be less stringent laws there as to who can access that information on the foreign servers. It is not beyond certain dubious folks to sell such info to crime syndicates.
Some fax systems store docs in the Cloud too, and auto-forward those docs as email attachments. Can one identify such a fax system from the archaic ones that simply print to paper?

Notice Banks never say things like "it's the Sender's responsibility to ensure security of financial information". They institute a mechanism that is more secure than e-mailing unprotected financial information, and only use those channels for communication.
 
Status
Not open for further replies.

Share this page

Get a free case review from a lawyer
Back
Top