HLS loses sensitive data of 20,000 legal services center clients

BY ANDREW KALLOCH

Over 20,000 clients of the Wilmer-Hale Legal Services Center have had their personal data-ranging from addresses and social security numbers to sensitive legal intake information-potentially exposed, the Record learned late last night from Robb London, Associate Director of Communications.

Yesterday, HLS gave notice to Massachusetts Attorney General Martha Coakley, in accordance with a Massachusetts privacy statute that requires disclosure whenever stored data is in any way potentially compromised.

Additionally, the school has sent letters, in both English and Spanish, notifying the 8000 individuals whose SS numbers were lost, giving them a point of contact at LSC, and offering that the law school (at its expense) will be making services available to them for identity and account protection. An additional letter went out to the 13,000 other clients affected.

The tape was lost on or around September 23. LSC has its servers on site in Jamaica Plain, unlike other Harvard clinicals such as Defenders, Prison Legal Assistance Project, or the Harvard Legal Aid Bureau, whose servers are located on campus and are encrypted. Each week, IT sends an employee to LSC to take out the data tapes and to transport them to campus for back up. When IT went to back up the tapes two days after they were delivered from LSC, they noticed that only 5 of the 6 tapes were there.

Once it was determined that the tape was lost, IT took steps to discover what was on the missing tape. They found that the tape was part of the case management system of LSC, including 10 years worth of client intake data.

It appears that the missing tape was lost in transit. According to HLS, the database on the backup tape was password protected and to be able to get into it requires considerable training and specialized equipment. London described the password protection as, “almost the same level as encryption,” and stated that it would take “Herculean efforts and immense computing power,” to breach the security of the tape. London reiterated that there is no evidence that anyone’s identify has been disclosed or that the tape has been found.

Nevertheless, in response to this loss, HLS has changed its procedures regarding data protection at LSC. First, the servers at Jamaica Plain site are now being encrypted. Second, data transport is now in the hands of a courier service known as Iron Mountain rather than IT. Third, a new tape library for LSC has been purchased, which includes a bar code reader for improved inventory control.

London refused to comment on any disciplinary action taken against IT employees.

Comments