Criminal suspects' details were amongst the confidential files copied from the ADDA Treasurer's secure workstation to his insecure personal laptop. The DA's Office was legally required to notify and warn hundreds of persons potentially effected by the security breach, including those criminal suspects. As a consequence, criminal suspects were most likely "tipped-off" that they were under investigation by the District Attorney's Office Auto Insurance Fraud Division.
California's Security Breach Notification Act, State Bill 1386, embodied in California Civil Code Sections 1798.80 through 1798.82, requires disclosure of "any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person."
|The DA's Office is believed to have based its warning letters on|
this "Sample Notice Letter" suggested by the COPP.
It is understood that the DA's Office assigned Senior Investigators from the Bureau of Investigation and support staff to spend weeks debriefing the ADDA Treasurer in order to identify the hundreds of individuals named in the files lost when the laptop was stolen. Having identified the potential victims, they then had to locate current addresses for those individuals, and then send them warning letters. The costs of complying with the Security Breach Notification Act are not known at this time, but can be reasonably expected to have been substantial.
A criminal defense attorney told the Dragnet that if his client had shown him the warning letter sent out by the DA's Office, he would have advised his client that he was "probably under investigation."
ADDA Did Not Warn It's Members of the Security Breach
While the DA's Office had no option but to comply with the notice requirements relating to the loss of confidential information, the ADDA does not appear to have felt obliged to act similarly in compliance with the Security Breach Notification Act. The ADDA member information held by the ADDA Treasurer certainly appears to meet the definition of "personal information" within the meaning of the Act, according to our sources.
The confidential data held by the ADDA is understood to have consisted of scanned image files of DDAs who paid $30 to the Association by check in order to participate in a vote. The scanned images of those $30 checks contained the addresses, bank account details, and spouses names of Deputy District Attorneys. It is also believed that additional files containing members' details were stored on the laptop.
No Comment From the ADDA
Although the security breach has been known about for at least four weeks since the first comment appeared on the Dragnet, the ADDA Board has not contacted the Dragnet to either confirm or deny the allegation that they neither complied with the law, nor acted to protect their members from the obvious risks posed by their security breach. ADDA President Hyatt Seligman had previously contacted the Dragnet regarding ADDA matters, so it can be assumed that he was fully aware of the allegation, but for whatever reason, has chosen not to respond.
One DDA who paid the ADDA with a $30 check, told the Dragnet that he had not received any notice from the ADDA regarding the loss of his personal and bank information. Equally, no DDA has contacted the Dragnet to say they did receive a warning notice. While some comments posted over the past few weeks since the Dragnet became aware of the security breach purported to defend the ADDA's actions because "the loss of encrypted data does not have to be reported," the actions of the DA's Office in issuing thousands of warning notices, indicates that the data was not encrypted and that warning notices were required both from the DA's Office and the ADDA.
ADDA Treasurer Loren Naiman Named As Responsible For Security Breach
"Anonymous 12:15AM," who posted the comment in response to our June 15, 2011 article provided many of the missing details to this scandal, naming DDA Loren Naiman, the ADDA Treasurer, as being responsible for the security breaches.
It is known that Naiman either resigned or retired from the ADDA Board shortly after the security breach. No reason was given by the ADDA for Naiman's departure, and DDA Doug Sherrod was subsequently elected as Treasurer, beating former ADDA President Steve Ipsen for the position.
However, barely weeks after becoming Treasurer, Sherrod also suddenly resigned. Once again, the ADDA offered no reason for Sherrod's resignation, and the ADDA Board promptly appointed Naiman to resume his duties as Treasurer.
Although Naiman has resumed his duties as ADDA Treasurer, the DA's Office transferred him out of the Auto Insurance Fraud Division. We understand that Naiman believes that the transfer was in retaliation for his ADDA activities. It remains to be seen whether the merits of Naiman's beliefs will allow him to join the ADDA's much touted "federal lawsuit" challenging transfers such as his as "union busting."
The apparent failure of the ADDA to follow the law and warn members of the risks to their personal and financial security posed by their personal information falling into the hands of criminals will do little to boost the image of the current leadership of the ADDA. Many DDAs who spoke to the Dragnet on background were shocked that the ADDA would try to cover up such a serious security breach, "our families and finances were put at risk by these people." one DDA said.
ADDA Bylaws Devoid of Member Privacy Protection Regulations
Although Naiman's unauthorized copying and storage of the DA's Office confidential information appears to be in violation of Section 7.12.00 of the Personnel Policies Handbook (Confidential and Sensitive Information - Policy) and the "Policy Statement - Privacy, Security and Confidentiality," Naiman's copying and storage of members' checks as well as any other ADDA member data that was on his laptop does not appear to violate any section of the ADDA's Bylaws. That's because the ADDA does not have any measures designed to protect its members from the loss of personal confidential information.
ADDA Board Accused of Hypocrisy
While the ADDA have sued DDA Peter Burke for "violating privacy" and "union busting" because he was freely given a list of ADDA member names by the County Employee Relations Commission (ERCOM), and that list was turned over to the DA's Office Administration, it does appear that the ADDA has a different definition of "privacy" when it comes to allowing criminals to obtain the names of ADDA members.
That point was made by the "Anonymous 12:15AM" comment which can be seen by scrolling down to the bottom of our June 15, 2011 article, however, we repeat what some might agree to be a particularly apt portion of that comment here:
"It is ironic that when Peter Burke was freely given a list of the names of ADDA members which he turned over to the administration, the ADDA "had a cow" about it claiming it was a violation of privacy. Had Burke allowed that list to be stolen from his car, I guess you would have no beef. What a bunch of hypocrites!"
"Anonymous 12:15AM" ends his comment the Latin phrase "Res Ipsa Loquitur," generally accepted to mean "The facts speak for themselves."