Beverly A. Michaelis, J.D.

Professional Liability Fund Practice Management Advisor Main 503.639.6911 – Oregon Toll Free 800.452.1639

Direct Dial 503.924.4178

beverlym@osbplf.org http://twitter.com/OreLawPracMgmt

http://www.linkedin.com/in/beverlymichaelis

www.osbplf.org

Resources for Lawyers Who Have Experienced Theft of Client Information

This PDF includes articles and a sample client letter which can be modified as needed. Please call or e-mail me if you have any questions.

Beverly Michaelis

Professional liability fundwww.osbplf.org

tHis issueaugust 2008

M a l p ra c t i ce Pr e v e n t i o n E d u ca t i o n f o r O r e g o n L a w y e r s

DISCLAIMERIN BRIEF includes claim prevention information that helps you to minimize the likelihood of being sued for legal malpractice. the material presented does not establish, report, or create the standard of care for attorneys. the articles do not represent a complete analysis of the topics presented, and readers should conduct their own appropriate research.

issue 105

Mobile devices like the BlackBerry and Palm Treo have become indispensable tools for many lawyers. Compact and easy to use, these devices offer quick access to calendars, contacts, e-mail, documents, and other sensitive personal and cli-ent information. Unfortunately, the portability of such devices also makes them highly prone to loss or theft. If you or members of your firm use a PDA, smartphone, or similar device, take ap-propriate steps to protect client confidentiality:

1. LimitUse. Restrict the type of informa-tion stored on a handheld device to reduce your exposure.

2. Standardize. If more than one handheld device is used, everyone in the firm should use the same type of device. Do not allow outside de-vices. In the event of a problem, it will be easier to implement a firm-wide solution if everyone is using the same product.

3. Password Protect. Use “power-on” passwords. If the device is lost or stolen, data on the device cannot be accessed without the pass-word.

4. UsetheLock-outFeature. Set devices to lock out users after a specified number of in-correct log-in attempts. Use “sleep” settings to lock devices after 10 or 15 minutes of inactivity.

5. Consider Encryption or Biometrics. Products like SafeGuard PDA from Utimaco go beyond password protection and lockouts to protect data by using encryption and biomet-rics. Biometrics protect data by requiring sig-nature, voice, or fingerprint authentication. If the device doesn’t recognize the user, it can’t be accessed. Visit http://americas.utimaco.com/safeguard_pda for more information.

EasytoUseorEasytoLose?HowtoProtectMobileDevices

6. Explore Data Wiping. Research in Motion’s BlackBerry Enterprise Server, as an example, comes with a feature that wipes all data from the device’s memory once a certain num-ber of failed log-in attempts are exceeded. The current version of Microsoft Exchange provides for a remote wipe of a lost or stolen Windows PDA. Remember that if you have regularly syn-chronized your device, the destroyed data can be easily restored to a replacement device.

7. Starve the Virus. Virus attacks on handheld devices are rare but potentially dev-astating if a compromised mobile device is synched to a desktop or network. All the major antivirus vendors, including Symantec (Norton Smartphone Security) and McAfee (McAfee Mobile Security), offer security products de-signed for mobile platforms. Visit www. sy-mantec.com and www.mcafee.com for more information.

8. LearnMore. To learn more about mobile devices, visit resources like the PDA Learning Center at http://palmtops.about.com/od/pda-learningcenter/PDA_Learning_Center.htm or www.pdatoday.com.

Beverly A. MichAelis

PlF PrActice MAnAgeMent Advisor

PROFESSIONAL LIABILITY FUNDwww.osbplf.org

MALPRACTICE AVOIDANCE NEWSLETTER FOR OREGON LAWYERS

DISCLAIMER

THIS NEWSLETTER INCLUDES CLAIM PREVENTION TECHNIQUES THAT ARE DESIGNED TO MINIMIZE THE LIKELIHOOD OF BEING SUED FOR

LEGAL MALPRACTICE. THE MATERIAL PRESENTED DOES NOT ESTABLISH, REPORT, OR CREATE THE STANDARD OF CARE FOR ATTORNEYS.

THE ARTICLES DO NOT REPRESENT A COMPLETE ANALYSIS OF THE TOPICS PRESENTED AND READERS SHOULD CONDUCT THEIR OWN AP-

PROPRIATE LEGAL RESEARCH.

INBRIEF

THIS ISSUEOctober 2004

Issue No. 93

LAPTOP COMPUTERS:

PROTECTING

CONFIDENTIAL CLIENT

INFORMATION

Laptop computers present specialdata security risks because they are de-signed for mobility and are frequentlyused outside the office. Some of the risksassociated with laptop usage are:

• Loss and Theft. Laptops arevulnerable to both human error (loss)and to greed (theft). The portablenature of laptops makes them easy toleave in a hotel room, airport, orrestaurant. They are also easily stolenand sold on the black market. Nationalcrime statistics report that roughly150,000 laptops were stolen in 1994,200,000 in 1995, and 275,000 in 1996.Theft is growing faster than thenumber of laptop computers in use.Theft from an office is the mostcommon, and airport theft the secondmost common.

• Unauthorized Access. Laptopcomputers are frequently used ininsecure locations – conference rooms,temporary offices, and airports, to namea few. In most cases, the laptop is usedin a conference room or other publicarea where the laptop user is not wellknown to others in the area. Thissituation makes it easy for anunauthorized user to view or use thelaptop without looking suspicious. Beespecially careful if you are using ahigh-quality large screen, as this allowsa much wider viewing angle.

• Unauthorized Use of Data.

Unauthorized use of data usuallyresults from: (a) loss or theft of thelaptop; (b) unauthorized access tothe laptop for long enough to view orcopy data; (c) loss or theft of datacopied to diskettes or other portablestorage devices (e.g., memory sticks,USB drives) for printing, backup, ordata transfer; or (d) interception orcompromise of data transmitted overtelephone lines or the Internet.

These security risks cannot be elimi-nated, but a combination of technologytools and user awareness can reducelaptop data security risks to a reasonablelevel.

PHYSICAL SECURITY

The risks of theft, unauthorized ac-cess, or unauthorized use of data can besignificantly reduced by diligently ob-serving the following physical securitypractices:

• Use a sturdy bag that doesn’t looklike a laptop bag to carry your laptop;

• Hang the bag from your shoulder orkeep it on the floor between yourfeet;

• Use locking cables or burglar alarms;

• Never leave the laptop unattended orout of your sight in a public place;

• Don’t check the laptop as luggage orin a coatroom;

• Don’t store the laptop in airports,airplanes, trains, or subways;

• Keep the laptop with you when intaxis, cars, or other transportation;

IN BRIEF - PAGE 2OCTOBER 2004 www.osbplf.org

• Watch the laptop as it goes through airportmetal detectors (“snatch and grab” thefts arecommon); and

• Use locking or even unlocked drawers orcabinets to store laptop computers when youleave an office, conference room, or hotel room.

ACCESS SECURITY

The second line of defense against laptop theftor unauthorized use of data is access security. If alaptop computer is lost, stolen, or otherwise outsidethe control of its owner, data remains secure if anunauthorized person is prevented from turning thecomputer on and using it.

The simplest way to reduce access to your com-puter data is to log off of the computer when you arenot able to stay near it, and to take the computerwith you. Since this option is not always practical,you can also protect the data by using the lock com-puter function of the computer. Simply hit Ctrl-Alt-Delete while your computer is on, then select LockComputer. Your laptop is now locked until an autho-rized user logs on.

Password security options include using pass-word protection on screen savers (so a password isneeded once the screensaver appears), using a pass-word that guards against being easily guessed (of-ten referred to as a “strong” password), changingpasswords regularly, and following the other secu-rity suggestions that are available from the maker ofyour operating system. If you use Microsoft Win-dows, you can find a list of security tips by search-ing the Help menu.

DATA SECURITY

Access security alone is not sufficient protec-tion for laptop computers. Power-on and screen-lockpasswords can be eluded by removing a laptop’shard drive and reinstalling the hard drive in anotherlaptop, and neither system protects data being trans-mitted by CD, memory sticks, portable hard drives,or e-mail. Using security software and hardware se-curity devices provides additional data security. Anexample of security software that includes e-mail en-cryption is Steganos Security Suite, reviewed in theSeptember 2003 issue of PC World. Examples ofhardware security devices are DEFCON Authentica-tor (reviewed by David Hiersekorn for the June/July

2003 issue of Law Office Computing) and MemoPass.These devices create and store personal profiles forthe authorized user through a USB port or by accesscard.

Creating a mobile system can backfire if thesystem is not secure. This is a very important con-sideration when using a wireless connection. Wire-less laptops and computers have wireless adaptersand wireless access ports that enable them to con-nect to your computer network. Unfortunately, thesewireless access ports transmit radio signals continu-ously. Since only about one percent of wireless us-ers change the vendor’s default user name and con-figurations, 99 percent of these wireless accesspoints are highly insecure. So if you are using awireless network, don’t rely on the default settingsof your laptop to protect you. Check with your wire-less vendor or consult with an expert about how toproperly secure your wireless system.

Last, but not least, laptop users can secure databy being selective about what they store on thelaptop. If possible, avoid storing personal informa-tion (such as birth dates and social security num-bers) on a laptop. When working away from the of-fice, use resources that the computer can link to viathe Internet as the sources of confidential data.Intranets, extranets, and Web sites protected by pri-vate passwords are examples of such sources not lo-cated on a laptop’s hard drive. If the laptop is lost orstolen, the client data will not be compromised. Thisis particularly true if you don’t store the passwordsto such resources on the laptop itself, or if the pass-words are well encrypted to prevent unauthorized ac-cess.

Our thanks to Beverly Michaelis, PLF PracticeManagement Advisor; Dee Crocker, PLF PracticeManagement Advisor; and Steel Scharbach of SteelScharbach Associates, LLC, for their assistance withthis article. The original article, “Notebook Security:Protecting Confidential Client Information,”October 1997, can be found at www.ssa-lawtech.com.Click on white papers, then on security issues.

Professional liability fundwww.osbplf.org

tHis issueaugust 2008

M a l p ra c t i ce Pr e v e n t i o n E d u ca t i o n f o r O r e g o n L a w y e r s

DISCLAIMERIN BRIEF includes claim prevention information that helps you to minimize the likelihood of being sued for legal malpractice. the material presented does not establish, report, or create the standard of care for attorneys. the articles do not represent a complete analysis of the topics presented, and readers should conduct their own appropriate research.

issue 105

Continued on page 2

Protect Client Information From Identity TheftDid you know that in 2006 Oregon ranked as

the 13th worst state for identity theft in number of victims per capita? According to the Federal Trade Commission, this crime costs U.S. busi-nesses nearly $48 billion every year. As keep-ers of confidential client information, lawyers are particularly vulnerable.

The Oregon Consumer Identity Theft Protec-tion Act (the Act) passed by the 2007 legislature (ORS 646A.600 to 646A.628) gives businesses some guidance in the protection of sensitive in-formation that is collected, kept, and shared. The law contains three main components that will help protect sensitive information: (1) protection of Social Security numbers; (2) general safe-guards for data; and (3) notification of a security breach. The safeguard standards became effective January 1, 2008; the remainder of the law became effective October 1, 2007.

Some law firms will not need to make any ad-ditional changes to their law practice to comply with the Act. In fact, many firms have already implemented most of the requirements because of the inherently confidential nature of operating a law practice.

Does the Act Apply to Lawyers?The new law applies to lawyers who, in the

course of their practice, maintain or possess an individual’s personal information. “Personal in-formation” means an individual’s unencrypted or unredacted first name or first initial and last name in combination with any one or more of the fol-lowing:

(1) Social Security number;

(2) Driver license number or state identifica-tion card;

(3) Passport number or other U.S.-issued identification card;

(4) Financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.

Many law firms already comply with the Act because of the requirements of the Or-egon Rules of Professional Conduct. Under ORPC 1.15-1, “Safekeeping Property,” a law-yer has a duty to appropriately safeguard a client’s property. A client file is considered client property; thus the information contained in a client file must be appropriately protected. See Oregon Formal Eth-ics Opinion No. 2005-125, fn 2. ORPC 1.6 requires lawyers to keep confidential any “information relating to the representation of a client.” In addition, the Act does not apply to law firms who comply with state or federal law that provides greater protection to personal infor-mation, such as Title V (the privacy provisions) of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 to 6809) or the Health Insurance Portabil-ity and Accountability Act of 1996 (HIPAA) (45 CFR parts 160 and 164).

What Does the Act Require?The focus of the Act is to provide businesses

with reasonable safeguards and procedures in handling and disposing of personal information and to protect the security, confidentiality, and integrity of the information.

One requirement that may be new to lawyers is that Social Security numbers must be redacted

august 2008 www.osbplf.org – Page 2

on any materials that are mailed, publicly posted, or pub-licly displayed. This requirement does not apply to the use of SSNs for internal verification purposes or as required by state or federal law. Counties around the state have made available a UTCR Form 2.100 Affidavit that segregates per-sonal information from documents that are filed in court. The requirement does not apply to judgments, court orders, or indictments filed before October 1, 2007.

If you collect any personal information, consider con-firming in your fee agreement or engagement letter that the information will be used only to provide legal representation to the client. If your client’s case necessitates mailing docu-ments that include Social Security numbers, you might also want to get the client’s written consent.

For law practices that do not currently have a security program in place, these are the minimum requirements that should be implemented to comply with the Act:

• Administrative safeguards – Identify what in-formation the firm collects, where it is stored, and how to keep it safe; train employees in the security program; ensure that contracted service providers will protect per-sonal information.

• Technical safeguards – Assess risks in your com-puter network and software programs; put in place safeguards to detect, prevent, and respond to attacks or system failures; test the safeguards to make sure they work.

• Physical safeguards – Protect against unauthor-ized access to or use of personal information.

The compliance standard for businesses with 50 or fewer employees is to have safeguards and disposal measures that are “appropriate to the size and complexity of the small busi-ness, the nature and scope of its activity, and the sensitivity of the personal information collected.”

Practitioners must dispose of personal information by burning, pulverizing, shredding, or erasing electronic media. When recycling an old computer, the hard drive must be cleaned, destroyed, or reformatted. For infor-mation on file management, retention, and destruction, go to www.osbplf.org. Under Loss Prevention, select Practice Aids and Forms, then select File Management.

Your security program should also include securely stor-ing sensitive information by using passwords and encryption and by securing information on portable devices such as lap-tops, USB Flash Drives, and PDAs. (See “Easy to Use or Easy to Lose? How to Protect Mobile Devices,” page 7.)

What to Do After a Security BreachThe good news is that the Act gives law firms guidance

on how to notify clients of a security breach. A “breach of security” is an “unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information.” A breach of security can occur when a laptop or portable device is lost or stolen, or any time a computer hacker or an unauthorized person ac-cesses personal information of a client.

If you discover that a security breach has occurred, you must immediately notify those individuals whose informa-tion has been breached. You can notify clients by (1) mail; (2) e-mail (if this is the usual way you communicate with your client); (3) telephone; or (4) substitute notice, in limited circumstances, involving large cost or volume, as specified by the Act. Whichever method of notification you select, be sure to document your efforts.

The notice must include the following information:

(1) a general description of the security breach;

(2) the approximate date the breach occurred;

(3) the type of personal information obtained as a result of the breach;

(4) your firm’s contact information;

(5) contact information for national consumer reporting agencies; and

(6) advice to the individual to report suspected identity theft to law enforcement, including the Federal Trade Com-mission.

For a sample notification letter, go to www.osbplf.org. Under Loss Prevention, select Practice Aids and Forms, then select Client Relations.

Notification is not required if, after an investigation or after consultation with law enforcement agencies, you de-termine that there is no reasonable likelihood of harm to the client whose personal information has been breached. When making this assessment, consider ORPC 1.4(b), which requires lawyers to explain matters to cllients to the extent necessary for them to make informed decisions. Also, if your judgment about whether to make the disclosure is impacted – because you or someone in your firm was responsible for the breach – you may have a conflict due to a personal inter-est under ORPC 1.7(a)(2). You must document your determi-nation in writing and retain it for five years.

If you discover a breach of security affecting more than 1,000 clients, you must immediately report your notification steps to all national consumer reporting agencies. Currently,

august 2008 www.osbplf.org – Page �

there are four: Equifax, TransUnion, Experian, and Innovis. Your report should include the timing, distribution, and con-tent of the notification given and the police report number, if available.

Post–security breach services, such as ID TheftSmart (www.idtheftsmart.com), offer identity restoration and credit monitoring services.

A PLF practice management advisor is available to meet with you to discuss your firm’s security plan and suggest other safeguards you may want to implement. You can reach Beverly Michaelis at 503-924-4178 or bev-erlym@osbplf.org; Sheila Blackford at 503-684-7421 or sheilab@osbplf.org; and Dee Crocker at 503-924-4167 or deec@osbplf.org.

Kimi Nam

PLF StaFF attorNey

Thanks to Helen Hierschbiel, OSB Deputy General Counsel, for her assistance with this article.

august 2008 www.osbplf.org – Page �

In Brief Articles:

• act now to avoid disaster (May 2008)

• Glb Privacy notice (tips, traps, & resources, february 2006)

• document destruction (June 2005)

• do you need to Know about HiPaa? (June 200�)

Oregon State Bar Bulletin Articles:• the lawyer’s Guide to Mobile Computer security

(november 2007)

• Metadata: Guarding against the disclosure of embedded information (april 2007)

• Metadata: danger or delight? (May 2006)

Disaster Recovery

• Managing Practice interruptions

• Protecting your firm (includes Web resources)Technology

• How to back up your Computer

• application service Providers

File Management

• file retention and destruction

Client Relations• notice to Clients re theft of Computer

equipment

Identity Theft ProtectionPLF/OSB Resources

State of Oregon’s Division of Finance and Corporate Securities (DFCS): http://www.cbs.state.or.us/dfcs/id_theft.html. Contains sample notification letters, tips for protecting data, contact information for dfCs representatives who can present information to your firm, and other resources.

Credit Reports and Credit Reporting Agencies: Consumers can obtain a free credit report once every 12 months. free annual Credit report www.annualcreditreport.com will link you to three of the four national credit reporting agencies (equifax www.equifax.com; experian www.experian.com; transunion www.transunion.com). innovis is the fourth (www.innovis.com).

Federal Trade Commission: www.ftc.gov/infosecurity. Provides information for businesses about keeping information secure. includes a tutorial and related articles on protecting personal information.

Department of Homeland Security’s National Strategy to Secure Cyberspace: http://www.dhs.gov/xlibrary/assets/National_Cyberspace_Strategy.pdf. describes the roles and responsibilities of both public and private sectors in the department’s efforts to secure cyberspace.

OnGuard Online: www.OnGuardOnline.gov. Gives practical tips from the federal government and technology experts on how to guard against internet fraud, secure your computer, and protect personal information.

ABA Law Practice Management Section: www.abanet.org/lpm/resources/technology.shtml. Contains excellent information for lawyers on identity theft, hacking, viruses, spyware , and more.

ABA Legal Technology Resource Center: www.abanet.org/tech/ltrc. Contains a comprehensive collection of technology resources and information. see the article, “to catch a thief—tips and tools to protect your computer investment,” at www.abanet.org/media/youraba/200806/article10.html, and also at www.osbplf.org.

ABA’s GPSolo Technology & Practice Guide: www.abanet.org/genpractice/magazine/2006/jun/index.html. Published by the General Practice, solo & small firm division, the entire June 2006 issue (volume 2�, number �) is devoted to technological issues such as mobility and security.

Internal Revenue Service: www.irs.gov. irs news release 2008-88, July 10, 2008, cautions about a new wave of scams using the irs name in identity theft e-mails (phishing) involving tax refunds and economic stimulus payments.

Oregon Administrative Rule 160-100-0210: www.filinginoregon.com/notary/new_notary_journal_rule.htm. this new rule, effective May 1, 2008, addresses protections for notaries and the clients they serve by helping the notaries comply with the oregon Consumer identity theft Protection act.

Additional Resources

PROFESSIONAL LIABILITY FUNDwww.osbplf.org

MALPRACTICE AVOIDANCE NEWSLETTER FOR OREGON LAWYERS

DISCLAIMER

THIS NEWSLETTER INCLUDES CLAIM PREVENTION TECHNIQUES THAT ARE DESIGNED TO MINIMIZE THE LIKELIHOOD OF BEING SUED FOR

LEGAL MALPRACTICE. THE MATERIAL PRESENTED DOES NOT ESTABLISH, REPORT, OR CREATE THE STANDARD OF CARE FOR ATTORNEYS.

THE ARTICLES DO NOT REPRESENT A COMPLETE ANALYSIS OF THE TOPICS PRESENTED AND READERS SHOULD CONDUCT THEIR OWN AP-

PROPRIATE LEGAL RESEARCH.

INBRIEF

THIS ISSUEOctober 2004

Issue No. 93

WHAT TO DO ABOUT

STOLEN/LOST CLIENT FILES

You leave the office. It’s a typical busy day,and you take a few files with you to work on athome. On the way, you stop at the grocery storeto pick up a few items. On returning to the park-ing lot, you realize your car has been stolen. Asyou call the police and your insurance companyto report the incident, you realize that your clientfiles were in the car . . .

If this or a similar nightmare happens to you,call the PLF for advice on how to discuss thiswith your client. It is important to let your clientknow that the file has been lost or stolen and thatyou will be reconstructing the file. In addition, ifyour file, briefcase, or laptop contained social se-curity numbers, birth dates, or other informationthat would allow someone to steal your client’sidentity, your client will need to know in order totake the appropriate precautionary steps.

If your files are lost or stolen, contact yourbusiness insurance carrier to see whether yourbusiness policy covers you for the cost of recon-structing the file. This type of coverage is oftenincluded in your property coverage and may bereferred to as Valuable Papers coverage.

The property coverage of your business in-surance is also the coverage that would apply toreplacement of stolen laptops, although a deduct-ible may apply.

To make sure you have the level and type ofcoverage you want, contact your local insurancebroker. A wide range of coverage limits and busi-ness coverage packages are available. Premiumsvary with the amount of coverage, usually run-ning from $250 to $1,500 per year.

[20Jan09 Rev 1/09] PROFESSIONAL LIABILITY FUND (NOTICE TO CLIENTS RE THEFT OF COMPUTER EQUIPMENT.DOC)

NOTICE TO CLIENTS RE THEFT OF COMPUTER EQUIPMENT

[Date] IMPORTANT NOTICE TO ALL CLIENTS RE: THEFT OF COMPUTER EQUIPMENT AND POSSIBLE BREACH OF INFORMATION Dear Clients: The purpose of this letter is to inform you that [describe event, such as: two of our laptops were stolen recently]. The theft has been reported to the authorities, our property management staff, our insurance carrier, and the three major U.S. credit bureaus. Like many law offices, we maintain information on our computer system, including our laptops. The information we store electronically includes financial data and client records. Our standard practice is to protect all electronic information by [describe your standard practice, such as password protection]. Despite these measures, there is a risk that your confidential information, including your social security number or financial account information, may have been compromised. We deeply regret any inconvenience this event may cause you. You have the right to request that credit reporting agencies place “security freezes” or “fraud alerts” in your credit file. Enclosed is important information from the Oregon Department of Justice explaining your rights as a potential victim of identity theft. More information is available on the Federal Trade Commission’s identity theft web site at www.ftc.gov/idtheft. Because this is a serious incident, we strongly encourage you to take preventative measures now to help prevent and detect any misuse of your information. As a first step, we recommend you closely monitor your financial accounts and, if you see any unauthorized activity, promptly contact your financial institution. You also may want to consider requesting a free credit report from each of the three companies. To order your free credit report, contact the Annual Credit Report Request Service: Annual Credit Report Request Service PO Box 105283 Atlanta, GA 30348-5283 www.annualcreditreport.com Telephone: 1-877-322-8228 AnnualCreditReport.com is the official clearinghouse to help consumers obtain their free credit report from each of the nationwide credit reporting agencies. Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. A victim’s personal information is sometimes held for use or shared among a group of thieves at different times. Checking your credit reports periodically can help you spot

[20Jan09 Rev 1/09] PROFESSIONAL LIABILITY FUND (NOTICE TO CLIENTS RE THEFT OF COMPUTER EQUIPMENT.DOC)

problems and address them quickly. To protect yourself from the possibility of identity theft, Oregon law allows you to place a security freeze on your credit files. By placing a freeze, someone who fraudulently acquires your personal identifying information will not be able to use that information to open new accounts or borrow money in your name. To place a security freeze on your credit, you must contact each credit reporting agency individually by mail. For more information, please refer to the enclosed information from the Oregon Department of Justice. For detailed procedures, go to the Oregon Department of Consumer and Business Services at http://www.dfcs.oregon.gov/id_theft.html and click on How to Obtain a Security Freeze.

[Optional: If you decide to freeze your credit as a precaution and do not qualify for a free security freeze, our firm will cover the costs involved in placing the freeze with each credit agency. Any charge incurred to lift or remove a freeze will be the individual client’s responsibility. Please contact (specify name) at (specify method of contact) for more information.] [[Optional: To protect you we have retained [name of identity theft company], a specialist in identity theft protection, to provide you with [specify years] year(s) of protection and restoration services, free of charge. You can enroll in the program by following the enclosed directions. Please keep this information. You will need the personal access code it contains in order to register for services. The service package that we have arranged provides these protections for you: [List specific services the client will receive]. While electronic information was lost as a result of this incident, please be assured that no paper files or documents were taken. Your client file is safe. Our standard procedure is to store client files in locked filing cabinets. Nevertheless, we are reviewing all our security measures to determine if improvements can be made. Specify how clients should contact you with questions: [Option 1: We are sending this letter to all clients affected by this loss. Due to the number of clients involved, please understand that it may be difficult for us to respond by phone to individual inquiries about the [event]. Please forward any questions you have in writing to [specify person and postal mail or e-mail address] and we will respond at the earliest possible opportunity. We regret having to inform you of this incident and we apologize for any inconvenience to you.] [Option 2: If you have further questions or concerns, contact us at this special telephone number: [specify number]. You can also check our Web site at www.ourwebsite.org for updated information. We apologize for any distress this situation has caused you. We are ready to assist you in any way.} Sincerely, [Attorney] ENC.: Oregon Department of Justice: Credit and Identity Theft (Available at: http://www.doj.state.or.us/finfraud/idtheft.shtml Directions for Enrolling in Identity Theft Protection Service (if offered)

[20Jan09 Rev 1/09] PROFESSIONAL LIABILITY FUND (NOTICE TO CLIENTS RE THEFT OF COMPUTER EQUIPMENT.DOC)

NOTE: Visit the Oregon Division of Finance and Corporate Securities (DFCS) Web site, http://www.dfcs.oregon.gov/id_theft.html. The DFCS is responsible for enforcement of the Oregon Identity Theft Protection Act. Click on Tools for Businesses for more information on:

Protecting Social Security Numbers

Data Breach Notification Requirements

Sample Notification Letter

Protecting Data

Frequently Asked Questions

Additional Resources

Publication: Protecting Your Personal Information – A Business Guide