By Alan Gahtan - May 5, 1997
An article recently appeared on The New York Times Website which describes how a Nevada resident had purchased a used computer at an auction that was found to contain 2,000 patient records from a pharmacy in Arizona
C.J. Prime, a self-employed computer technician had purchased a used IBM Personal Computer for approximately US$159 from a vendor based in Mountain View, California. The computer had originally been used by a supermarket pharmacy in Tempe, Arizona. It contained names of patients, their addresses, social security numbers and a list of medicine that they had purchased at the pharmacy. Through the type of medication prescribed, it would be possible to determine which patients were suffering from AIDS, alcoholism and depression.
The incident highlights a growing problem where sensitive personal or corporate information stored on inexpensive personal computers is not properly deleted when the equipment is disposed of. Although many large organizations utilize centralized file servers to house and protect important files and documents, many also utilize document management programs or other processes which may store a copy of all documents created or accessed by a particular user on that user’s personal computer. This is done in order to provide access to such documents in the event of a problem with the file server or corporate network.
Some personal computers, especially laptops or computers utilized to access the law firm system from home or other external locations, may also contain software and/or embedded passwords which were used to provide that the original user with access to these remote systems or legal databases (such as QL). If these are not properly deleted then a subsequent purchaser may utilize such facilities to obtain unauthorized access to those law firm systems or legal databases.
Lawyers are subject to numerous obligations to maintain the confidentiality of information belonging to their clients. Policies should be implemented to ensure that any information contained on storage devices, such as hard disk drives, is properly erased before such equipment is sold by the law firm or returned to a leasing company. Leasing contracts should also clearly provide that any data stored on personal computers acquired by a law firm belong to the law firm and that the law firm has an explicit right to erase such data before returning the computers to the leasing company for any reason.
This problem also needs to be considered from the perspective of maintenance work performed on personal computers. Any hardware maintenance contracts should explicitly provide that defective storage devices, including hard disk drives, may be retained by the law firm rather than exchanged with a replacement unit (as is commonly the case with most maintenance contracts).
It should be noted that most attempts to delete computer-based information do not actually erase the information but rather only mark the disk space as available. In many cases, such deleted information may be recovered using commonly available utility programs. Any procedure adopted by law firms to delete computer-based information should incorporate the use of special utility programs which will over-write any information sought to be deleted and thereby ensure that it may not be recovered by a third party.
Related Sources: Canadian Legal Resources | Cyberlaw Encyclopedia | Entrepreneur Resources | Canadian Technology | Precedents | Alan Gahtan
© 2005 Alan M. Gahtan. All Rights
Reserved | Use is subject to these Legal
Terms
Disclaimer: Not all materials may be applicable in your jurisdiction. Not intended to be a
substitute for professional advice. No implied endorsement of, or affiliation with, any
linked sites. Path to individual pages may change - please link to home page only.
Linking Info