Here’s another notification letter submitted to the California Attorney General’s Office that left me scratching my head. It’s from the law firm of Sprechman & Associates, P.A. in Miami, a firm that specializes in collections. My comments and questions are inserted in italics:
Dear XXXXXX:
I am writing to advise you that your personally identifiable information (“Information”) may have been viewed by a former employee of Sprechman & Associates without permission. Specifically, the former employee may have viewed your name, address, date of birth, driver’s license number, and/or social security number.
“May have?” Why don’t you know? Don’t you maintain logs?
Sprechman & Associates learned of this incident in July 2012, but was unable to notify you until now because notification at that time may have interfered with a law enforcement investigation and the best known contact information for potentially affected individuals was not known until October 2012.
How did you learn of it? And when did the improper access occur, if it occurred? How long was this problem going on for? Was there any indication of misuse of anyone’s information? Did law enforcement actually ask you not to disclose this sooner or did you just make that decision on your own? If they asked you to delay notification, when did they tell you that you could go ahead and notify?
Although we cannot be sure that your Information was in fact used in an inappropriate manner, in an abundance of caution we are informing you that such viewing of your information may have occurred.
What Information May Have Been Viewed, When and By Whom?
One of our employees may have performed unauthorized searches on you. This information may have included your name, address, date of birth, driver’s license number, and social security number. We are advising you of this matter in an abundance of caution, but we stress that we cannot be sure that your Information was in fact used in an inappropriate manner. In fact, we cannot even be sure that your Information was actually viewed, but we are providing this notice out of an abundance of caution.
You can’t be sure it was viewed and/or misused, but you can’t be sure it wasn’t viewed and/or misused, right? So why aren’t you offering free credit protection and restoration services?
How Have We Responded to This Issue
Nonetheless, we certainly understand that this may be cause for concern. Additional information and support resources are available through the non-profit Identity Theft Resource Center at www.idtheftcenter.org, by calling (858) 693-7935, or via e-mail at [email protected].
Other Steps You Can Take:
[…]
So you haven’t actually done anything to respond to this issue other than notify law enforcement and send out this notification letter? How about hardening your security and access to records? How about improving auditing so you can tell who’s accessed what? How about offering affected individuals some services?
If the law firm would like to provide additional information, I’ll be happy to post it or update this entry, but overall, I find their notification and response inadequate. They do provide a phone number to call if recipients have questions, but the letter isn’t even signed by an individual – only by “Notice Department.”
Update of 2-22-13: This turned out to be the Rodney Saint Fleur case, discussed in these posts.
Can you spot the logical fallacy?
“I could not call in July because the cops said not to. And, I didn’t have your number until October.”
The police could have begged them to call, their could have been a zillion dollar award for them calling, the newly-discovered 11th commandment could be “Thou shalt call”, and they still would have been unable. The police part is irrelevant. It only *might* have been relevant had the firm had sufficiently good contact information, which they say they didn’t.
Yep, I caught that, but since they were citing law enforcement as a (partial?) excuse or explanation, I decided to ask whether they had taken it on themselves or if they had actually been asked. I’ve seen notifications where entities said “We were asked not to notify… and were just informed on [date] that we could notify safely.” This firm didn’t say anything like that.
Am I being overly critical of this letter and the firm’s response or do you agree with my reaction?
I got the same letter from the firm and this is really fishy. If my IDENTITY was breached they need to provide free
Credit protection and restoration. I called my credit protection and alerted my bank. Go to annual credit report.com
You get a free credit report then in 4 month another one and in another 4 month another.
I received a near identical letter but it does not contain the part about law enforcement. I feel pretty certain it is a scam of some form. There’s no reason these people would even have my information.
They specialize in collections. If you ever owed a firm or practice money, of even if someone erroneously thought you owed them money, they might have referred the account to this group. I can’t imagine a law firm sending out notification letters as a scam. That would make no sense.
I know what you mean and that’s why I started looking into it. However, there’s almost zero probability that I could be on their files. I defintely don’t have any debt in default or that has ever been subject to a collections agency situation. There’s something just a little suspicious about the letter. I Googled it and found other indications it is a little suspect.
I received the same letter but it was addressed to one of my children. They have absolutely no credit. This letter is very suspicious. They should not have any info on me or any of my children. This needs to be investigated.
Here’s my guess as to how it works.
They have a person with a delinquent account called John Doe. They pull all the addresses for everyone they can find called John Doe. Then they send out a letter that contains a deliberatee falsehood (ie we’re so sorry about the privacy breach etc). They then hope that when multiple John Does respond to ask what this is about, they can track down the one they want.
In my book, that makes it just a variation of a more traditional phishing scam.
I received an almost identical letter today. I’m not calling. My opinion is it is a solicitation letter. I would think they would expect people to be alarmed and call them. Advertisement. Trash.
As a former employee of this firm I can tell you that Sprechman & Associates knew at least 2 years ago that there was a problem with an employees’ use of a restricted program that allowed this employee to view ALL sensitive data on any individual including names, aliases, place of employment, date of birth, address, phone number(s), social security number, etc. Sprechman & Associates sat on that information for all that time and did nothing. Worse was the fact that they were approached long ago by law enforcement about this problem employee and chose to keep him in his current position affording him full access to continue stealing this sensitive information.
The letter Sprechman & Associates sent out contains only partial truths and is wholly self-serving.
If you’re willing, please contact me by email to breaches[at symbol]databreaches.net. I’d like to get some more details from you… and any proof you might have.
Dear Admin
I’ve sent a reply to the email you have supplied above. Happy Holiday.
MB
Answered you from a databreaches.net address.
Mr. Admin
Did you find anything important about the problem from MB?
Me and my father both got a letter from this firm.
What I dont understand is how they would even have my info.
They are based in FL, and I live in PA. So yeah.
Please e-mail me if he is telling the truth b.c I dont know what to do.
They wont answer my calls.
[email protected]
I haven’t heard back from him, so I haven’t been able to start any investigation of this. I understand it’s difficult to trust a blogger you don’t know and who blogs pseudoanonymously, but regular readers know I do investigate and follow-up on breaches where/when I can. Unfortunately, without some specifics or details, there’s nothing I can really do on this one at this time, even though there have been enough concerns/complaints that I am curious, to say the least. If I get any specifics from MB or any other reader, I’ll do what I can. And, it’s “Ms. Admin” or just “Dissent.”
Below is a link to Florida’s Security Breach Law.
http://www.leg.state.fl.us/Statutes/index.cfm?App_mode=Display_Statute&Search_String=&URL=0800-0899/0817/Sections/0817.5681.html