Thursday, July 7, 2011

Criminal Suspects Tipped-Off as Result of ADDA Treasurer's Security Breach

The Treasurer of the Association of Deputy District Attorneys had hundreds of unauthorized copies of confidential District Attorney's Office files relating to auto insurance fraud investigations on his personal laptop, together with details of Deputy District Attorney's residences and bank accounts when his laptop was stolen from his vehicle last summer, the Los Angeles Dragnet can reveal.

Criminal suspects' details were amongst the confidential files copied from the ADDA Treasurer's secure workstation to his insecure personal laptop. The DA's Office was legally required to notify and warn hundreds of persons potentially effected by the security breach, including those criminal suspects. As a consequence, criminal suspects were most likely "tipped-off" that they were under investigation by the District Attorney's Office Auto Insurance Fraud Division.  

An anonymous comment posted on June 2, 2011 was the first indication
that an ADDA Board Member had caused a major security breach thought, at first,
to be limited to ADDA member's details. It now appears to have been a much larger
security breach resulting in the tipping-off criminal suspects.
It is not known whether any investigations were compromised as a result of the ADDA Treasurer's unauthorized handling of the DA's Office's confidential information, nor can it be determined whether witnesses who were among the thousands who received warning letters were deterred from cooperating with on-going investigations.

California's Security Breach Notification Act, State Bill 1386, embodied in California Civil Code Sections 1798.80 through 1798.82, requires disclosure of "any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person."

The DA's Office is believed to have based its warning letters on
this "Sample Notice Letter" suggested by the COPP.
In order to ensure full compliance with the laws governing the content of warning letters required by California's Security Breach Notification Act, it is believed that the DA's Office used a "Sample Notice Letter" suggested by the California Office of Privacy Protection as the template for the hundreds of warning letters that were sent out on official District Attorney letterhead. The Sample Notice Letter is contained in the COPP's "Recommended Practices on Notice of Security Breach Involving Personal Information," which can be downloaded from the COPP website.

It is understood that the DA's Office assigned Senior Investigators from the Bureau of Investigation and support staff to spend weeks debriefing the ADDA Treasurer in order to identify the hundreds of individuals named in the files lost when the laptop was stolen. Having identified the potential victims, they then had to locate current addresses for those individuals, and then send them warning letters. The costs of complying with the Security Breach Notification Act are not known at this time, but can be reasonably expected to have been substantial.

A criminal defense attorney told the Dragnet that if his client had shown him the warning letter sent out by the DA's Office, he would have advised his client that he was "probably under investigation."

ADDA Did Not Warn It's Members of the Security Breach
While the DA's Office had no option but to comply with the notice requirements relating to the loss of  confidential information, the ADDA does not appear to have felt obliged to act similarly in compliance with the Security Breach Notification Act. The ADDA member information held by the ADDA Treasurer certainly appears to meet the definition of "personal information" within the meaning of the Act, according to our sources.

The confidential data held by the ADDA is understood to have consisted of scanned image files of DDAs who paid $30 to the Association by check in order to participate in a vote. The scanned images of those $30 checks contained the addresses, bank account details, and spouses names of Deputy District Attorneys. It is also believed that additional files containing members' details were stored on the laptop.

No Comment From the ADDA
Although the security breach has been known about for at least four weeks since the first comment appeared on the Dragnet, the ADDA Board has not contacted the Dragnet to either confirm or deny the allegation that they neither complied with the law, nor acted to protect their members from the obvious risks posed by their security breach. ADDA President Hyatt Seligman had previously contacted the Dragnet regarding ADDA matters, so it can be assumed that he was fully aware of the allegation, but for whatever reason, has chosen not to respond.

One DDA who paid the ADDA with a $30 check, told the Dragnet that he had not received any notice from the ADDA regarding the loss of his personal and bank information. Equally, no DDA has contacted the Dragnet to say they did receive a warning notice. While some comments posted over the past few weeks since the Dragnet became aware of the security breach purported to defend the ADDA's actions because "the loss of encrypted data does not have to be reported," the actions of the DA's Office in issuing thousands of warning notices, indicates that the data was not encrypted and that warning notices were required both from the DA's Office and the ADDA.

ADDA Treasurer Loren Naiman Named As Responsible For Security Breach
"Anonymous 12:15AM," who posted the comment in response to our June 15, 2011 article provided many of the missing details to this scandal, naming DDA Loren Naiman, the ADDA Treasurer, as being responsible for the security breaches.

It is known that Naiman either resigned or retired from the ADDA Board shortly after the security breach. No reason was given by the ADDA for Naiman's departure, and DDA Doug Sherrod was subsequently elected as Treasurer, beating former ADDA President Steve Ipsen for the position.

However, barely weeks after becoming Treasurer, Sherrod also suddenly resigned. Once again, the ADDA offered no reason for Sherrod's resignation, and the ADDA Board promptly appointed Naiman to resume his duties as Treasurer.

Although Naiman has resumed his duties as ADDA Treasurer, the DA's Office transferred him out of the Auto Insurance Fraud Division. We understand that Naiman believes that the transfer was in retaliation for his ADDA activities. It remains to be seen whether the merits of Naiman's beliefs will allow him to join the ADDA's much touted "federal lawsuit" challenging transfers such as his as "union busting."

The apparent failure of the ADDA to follow the law and warn members of the risks to their personal and financial security posed by their personal information falling into the hands of criminals will do little to boost the image of the current leadership of the ADDA. Many DDAs who spoke to the Dragnet on background were shocked that the ADDA would try to cover up such a serious security breach, "our families and finances were put at risk by these people." one DDA said.

ADDA Bylaws Devoid of Member Privacy Protection Regulations
Although Naiman's unauthorized copying and storage of the DA's Office confidential information appears to be in violation of Section 7.12.00 of the Personnel Policies Handbook (Confidential and Sensitive Information - Policy) and the "Policy Statement - Privacy, Security and Confidentiality," Naiman's copying and storage of members' checks as well as any other ADDA member data that was on his laptop does not appear to violate any section of the ADDA's Bylaws. That's because the ADDA does not have any measures designed to protect its members from the loss of personal confidential information.

ADDA Board Accused of Hypocrisy
While the ADDA have sued DDA Peter Burke for "violating privacy" and "union busting" because he was freely given a list of ADDA member names by the County Employee Relations Commission (ERCOM), and that list was turned over to the DA's Office Administration, it does appear that the ADDA has a different definition of "privacy" when it comes to allowing criminals to obtain the names of ADDA members.

That point was made by the "Anonymous 12:15AM" comment which can be seen by scrolling down to the bottom of our June 15, 2011 article, however, we repeat what some might agree to be a particularly apt portion of that comment here:

"It is ironic that when Peter Burke was freely given a list of the names of ADDA members which he turned over to the administration, the ADDA "had a cow" about it claiming it was a violation of privacy. Had Burke allowed that list to be stolen from his car, I guess you would have no beef. What a bunch of hypocrites!"

"Anonymous 12:15AM" ends his comment the Latin phrase "Res Ipsa Loquitur," generally accepted to mean "The facts speak for themselves." 



Anonymous said...

Ultimate irony or smoking gun - ADDA just sent out email blast asking DDAs to renew or update their contact information. Guess they must have lost that info from Naiman's laptop. Anyone crazy enough to trust the ADDA with their information again?

Anonymous said...

Berger/Joe Friday/Windscale. The ADDA bylaws DO NOT REQUIRE any notifications regarding security breaches so STFU or you will be next in line to be in front of federal judge Otis D. Wright II. Retract your hate filled hit piece and apologize to ADDA Board Majority who did nothing wrong. This is an old story - a year has passed and NO DDA has been a victim of ID Theft so get over it and get on with your job.

Anonymous said...

Naiman's supervisor was Peter Burke at the time wasn't it? So, Burke set up this entire ordeal and is feeding info to Berger on behalf of Cooley. What DA investigator broke into Naiman's car for Cooley? We know Cooley sends DA investigators out as his hit men. Cooley has the laptop on the 18th floor. All the more reason why the ADDA voted to affiliate, why Agency shop will pass and why Cooley is frantic at losing his power, thus hiring Berger to blog on county time, Burke to do his dirty work and why no one trusts the wrath of this pathetic administration and the minon blogger Berger who will soon have Trutanich for a boss. How's that line of accusations compare to Berger's? Cooley should spend millions of tax payer money to investigate this.

Anonymous said...

@8:31am Excellent point, I don't think so. It makes no sense that ADDA has kept its mouth shut about this. They would have been shouting and screaming union-busting all the way to federal judge Otis D. Wright II if there was grain of truth in this typical ADDA Board Majority lie. Face it, this is a major screw up.

Anonymous said...

I hope that someone finds a way to get the post at 7-7-2011 @ 8:06am in front of Judge Wright. In one rambling diatribe, this ADDA shill has summarized the true nature of the ADDA leadership and their various litigation strategy. The ADDA is not about protecting DDA's free speech rights, it's about squashing them; it's not about presenting the truth, it's about covering it up; it's not about getting DDA's more money, it's about forcing everyone to surrender an increasing chunk of their pay each month.

And for what? To basically build a branch of the "Ipsen for DA" campaign that is thinly disguised as a labor union. If you want to know the true quality of any institution, look at how it deals with reasonable dissent.

In the case of the ADDA you get a tantrum and a threat to drag you in front of Judge Otis Wright. So much for the civil rights of the rank and file.

Anonymous said...

Did anyone see Jackson's new ad? someone should do a comparison between lacey and jackson's spots. lol

Anonymous said...

In relation to the theft of Naimen's laptop, there is one important aspect to this whole mess that everyone is overlooking: who were the DDA' whose checks had been scanned.

These weren't just normal ADDA members. These people had been targeted. You see, an importent part of the Burke lawsuit that many forget is that Burke also alleged that the ADDA board had illegally raised the price of the dues. Through an illegal vote, the Board changed the dues from $30 a year to several hundred dollars a year (just how bad a hit is determined by the DDA's rank).

Burke challenged this, and solicited a number of DDAs to join at the "$30" rate to contest the hike in dues and preserve their voting rights as members. By submitting the $30 check, these DDA's were protesting against the ADDA Board and the Board knew it.

So why was Naimen paying special attention to these particular ADDA members by scanning in THEIR checks and collecting THEIR data? What did the ADDA board have planned for them? What information had been collected about them? One thing is certain, behind the scenes they were being treated differently than the members who simply agreed to the massive increase in dues.

Anonymous said...

2:35pm - thanks for explaining this. I was wondering why they wanted to keep scanned copies of checks. this makes sense now. BTW the ADDA did take action to protect themselves after the laptop was stolen - they changed their bank accounts.

Anonymous said...

These ADDA guys spend alot of time and energy running their own thought police on their members.

Anonymous said...

Supposedly, Sherrod got one look at the ADDA finances and quit so fast that he was out the door before anyone knew what had happened. Only smart guy in the building.

When agency fails, it's gonna be rats leaving a sinking ship...