From DataBreaches’ “Now what does THIS mean?” file, a notification letter from Dell & Dean PLLC, a law firm in New York.
On July 17, Dell & Dean’s external counsel notified the Maine Attorney General’s Office about a breach in September 2022 that affected 6,803 people. A copy of the firm’s notification letter was appended to the submission, and DataBreaches looked for an explanation of why it took from September 2022 until July 2024 to notify those affected. The following is from their notification letter:
What Happened? On September 29, 2022, Dell & Dean became aware of a data security incident that impacted its server infrastructure and took its systems offline. We immediately undertook efforts to restore ourservers and undertook additional affirmative steps to safeguard the security of data maintained on it systems. We also simultaneously retained a forensic investigation firm to determine the nature of the security compromise and identify any individuals whose information may have been compromised.
What Information Was Involved? The forensic investigation determined that access to Dell & Dean’s systems occurred on approximately September 28, 2022 through September 29, 2022. The investigation also identified certain files that may have been accessed or acquired in connection with the incident. In continuing its thorough investigation, we undertook a comprehensive manual review process to review these files and identify the specific individuals with personal information contained therein. This comprehensive manual review process concluded on or about May 30, 2024.
This was not a breach affecting millions of people. So why did it take so long for breach review? Were there many scanned files that could not be machine-processed or was there some other explanation for the delay in completing the process? They do not explain. And did the firm post any substitute notice in the interim to alert clients that their information may have been compromised?
Their letter continued (emphasis added by DataBreaches):
In an abundance of caution, Dell & Dean is providing this notification to you as your personal information may have been accessed and/or acquired in connection with the incident, including <><><><>. We have obtained confirmation to the best of our ability that the information is no longer in possession of the third party(ies) associated with this incident, and it is entirely possible that your specific personal information was not compromised as a result of the incident.
Well, there’s that “abundance of caution” claim again that we’ve grown to hate, especially when notification is not optional and was actually required by law. But it was the confirmation statement that really raised questions.
What confirmation did they obtain that the information was no longer in the hands of the third parties and how did they obtain it? Did they pay a ransom demand to have it allegedly deleted? Did law enforcement seize the servers on which their data resided? What is the basis for a statement that may reassure people that they may not be at risk when they really might be at risk?
Dell & Dean did not respond to an inquiry from DataBreaches asking them the basis for that statement, nor did they respond to a question asking them if any protected health information was accessed or acquired during the breach.
The firm offers those affected 12-months of complimentary mitigation services with Equifax, and encourages people to enroll in the service, but will the statements earlier in the letter lead people to think they can just skip the advice?