Jackson Lewis P.C.

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Jackson Lewis P.C. Data Breach Overview

Jackson Lewis P.C., a law firm, experienced a data breach due to a physical security incident that occurred on January 7, 2022. An unauthorized party broke into the law office and stole two hard drives containing clients’ personal information. The breach was not a result of a cyberattack but rather a theft of physical hardware[1].

Details of the Breach

  • Date of Occurrence: The theft happened on January 7, 2022[1].

  • Discovery and Response: The breach was discovered, and an investigation ensued. By August 2022, it was determined that personal information related to certain cases and individuals was compromised. Jackson Lewis P.C. notified affected parties in December 2022 and filed a notice with the California Attorney General’s Office on January 10, 2023[1].

  • Type of Information Stolen: The exact details of the personally identifying information (PII) stolen were redacted in the notice to the California Attorney General’s Office. However, it is suggested that the information could be severe, considering law firms typically handle sensitive data[1].
  • Admission of the Breach: Jackson Lewis P.C. admitted to the breach by filing the notice with the California Attorney General’s Office and took steps to investigate and mitigate harm, including efforts to locate the hard drives and reviewing security footage[1].
  • Potential Use of Stolen Information: The fate of the stolen information depends on the type of data involved. It could be sold if it includes social security numbers, insurance, or financial information[1].
  • Advice to Affected Parties: Affected individuals were advised to use credit and identity monitoring services, especially if financial or social security details were involved. Dark web monitoring was also recommended to detect if the information appears online[1].

Impact and Notifications

  • Number of Persons Affected: The total number of persons affected was reported to be 20,647, with 17 being Maine residents[8].

  • Consumer Notification: Written notifications to affected consumers began on March 16, 2023[8].

  • Identity Theft Protection Services: Jackson Lewis P.C. offered complimentary identity protection services for 12 months through Experian to those at risk[8].

Legal and Business Ramifications

  • Legal Consequences: The theft of sensitive data could lead to negligence claims, significant fines, contract disputes, potential lawsuits, loss of revenue, and reputational harm[4].

  • Business Impact: Operational chaos can result from supply chain or third-party vendor disruption due to unauthorized access[4].

Jackson Lewis P.C.’s Commitment to Security

  • Security Measures: Jackson Lewis P.C. has emphasized the importance of protecting personal information and continues to take measures to safeguard such data. This includes reviewing physical safeguards and employee training[16].

  • Information Security Program: The firm is expected to adopt a compliant information security program within 180 days of a settlement related to a different case[14].

Conclusion

The data breach at Jackson Lewis P.C. was a significant event due to the physical theft of hard drives containing sensitive client information. The firm has taken steps to address the breach and has provided identity protection services to those affected. The incident underscores the importance of physical security measures in addition to cybersecurity practices.

Citations:

  1. https://www.idstrong.com/sentinel/jackson-lewis-data-breach/
  2. https://www.jacksonlewis.com/sites/default/files/docs/JL_Privacy_Data_Cybersecurity_2022.pdf
  3. https://www.jacksonlewis.com/insights/what-real-estate-businesses-need-know-about-using-website-tracking-technologies
  4. https://www.jacksonlewis.com/insights/operational-chaos-ramifications-vendor-data-breach
  5. https://www.jacksonlewis.com/insights/importance-protecting-employee-information-privacy-and-cybersecurity-laws-proliferate
  6. https://www.idstrong.com/data-breaches/jackson-lewis-pc-breach/
  7. https://www.law360.com/health/articles/1772033/jackson-lewis-employment-probe-was-proper-2nd-circ-says
  8. https://apps.web.maine.gov/online/aeviewer/ME/40/2ce07965-3141-440b-8c41-ee31c1d2bc31.shtml
  9. https://www.natlawreview.com/article/downstream-breaches-cause-headaches-healthcare-providers-state-ag-seeks-law-change
  10. https://www.jacksonlewis.com/services/privacy-data-and-cybersecurity
  11. https://www.jdsupra.com/legalnews/corporate-boards-mulling-effects-of-sec-2841373/
  12. https://www.upguard.com/security-report/jackson-lewis-p-c
  13. https://www.natlawreview.com/article/federal-trade-commission-expands-rule-regarding-reporting-data-security-breaches
  14. https://www.workplaceprivacyreport.com/2023/02/articles/transactions/stolen-databases-obtained-in-transaction-leads-to-400k-settlement-with-pa-and-oh-attorneys-general/
  15. https://www.natlawreview.com/article/cybersecurity-awareness-month-series-cybersecurity-hoosier-state
  16. https://www.mass.gov/doc/assigned-data-breach-number-28911-jackson-lewis-pc/download
  17. https://www.natlawreview.com/article/cppa-mulls-draft-cybersecurity-audit-regulations-under-cpra
Breach Submission Date Feb 17, 2023
Converted Entity Name Jackson Lewis P.C.
Converted Entity Type Business Associate
State CA
Individuals Affected 986
Breach Type Theft

Breach Information Location Other Portable Electronic Device

Business Associate Present Yes