Monday, Sept. 1, 2014

Client files with personal information found in Dumpster

By Mike Anderson, Deseret News

Published: Tue, April 22 5:25 p.m. MDT

 Files containing client Social Security numbers and bank account information were found dumped outside the former office of Thomas Rasmussen near 4700 S. Highland Drive, Saturday, April 19, 2014. This photo was digitally altered to protect the names of the clients.

Files containing client Social Security numbers and bank account information were found dumped outside the former office of Thomas Rasmussen near 4700 S. Highland Drive, Saturday, April 19, 2014. This photo was digitally altered to protect the names of the clients.

(Ray Boone, Deseret News)

HOLLADAY — David Shell is outraged.

Files containing clients' Social Security numbers and bank account information were found dumped outside the former office of Thomas Rasmussen near 4700 S. Highland Drive. One of those files contained Shell's information.

“I don’t believe it,” he said. “They should not be able to just take a receipt book and throw it in the garbage out behind their business.

“That’s still a valid bank account,” he said, looking at a ledger with his bank information from more than 10 years ago.

KSL pulled one box out of the Dumpster and then notified the Utah State Bar. It recovered eight more. Files in the boxes — all at least a decade old — were secured and are being destroyed.

“This is big. This is a violation of my privacy and of my security,” Shell said. "You just don’t know what’s going to come back to bite you.”

Rasmussen said he wasn’t sure how the files left the office and that a plumber doing work in the building may have thrown them out to clear a crawl space. Rasmussen was disbarred a few years ago and said he no longer works in the legal business.

Scott Morrill, program manager for the Identity Theft Reporting Information System with the Utah Attorney General's Office, said leaving that information could really cause damage to a person’s credit or finances.

“When they put them in the trash like this, it allows anybody to obtain that information,” Morrill said. “And once they obtain the Social Security number, they can basically do whatever they want. They could set up accounts, file tax returns, (and) obtain credit cards."

State statute requires businesses to notify customers of electronic data breaches, but if the data are on paper and it is stolen or discarded, there's no such requirement.

“It’s not covered under this data breach statute because it’s not computerized data. It’s not data on a hard drive,” Morrill said.

That doesn’t mean victims can’t take civil action, he said.

“If they become a victim, they might want to contact their own attorney,” Morrill said.

Business owners should have a policy on how to handle personal information, he said.

“It should be kept in an encrypted form, on a computer hard drive or some sort of storage device, behind firewalls and not kept out in the open,” Morrill said.

The company should also have a policy in place on how to destroy and remove those documents, he said.

“This involves a lot of my life,” Shell said. “This can affect my whole life, and somebody that you should be able to trust, like an attorney, should not be able to just disregard your privacy and your information."

Contributing: Viviane Vo-Duc

Email: manderson@deseretnews.com

Related Stories
Recommended
1. Brahmabull
sandy, ut,
April 22, 2014

It is no wonder that this so called attorney has been disbarred. If he is that careless about other peoples information it makes me wonder what other questionable things he has done.

2. My2Cents
Taylorsville, UT,
April 23, 2014

The only ones to blame are anyone who volunteered this information to people who should not have it. No one else can be held accountable when personal information is volunteered to banks, credit agency's, police, lawyers, etc.

It is everyone's responsibility not to give out the information this lawyer or previous holder had. He is not liable nor is he responsible when you casually hand out this information to anyone who asks for it. There are only 3 people who should have this information, the payroll office of your job, the IRS, and the person himself. It is illegal for anyone else to ask for it and if you surrender this inf oration its your fault if it is not secured.

It is even illegal for parents to know their childrens SSA numbers or use their SSA for any reason or give it to anyone for any reason. Its in the SS laws so stop whining about having your ID taken for your own negligence. If you don't believe me try to get information from the SSA on your childs SSN.

3. sunderland56
Moab, UT,
April 23, 2014

“It’s not covered under this data breach statute because it’s not computerized data. It’s not data on a hard drive”

Then the law is very badly written; it should prohibit the disclosure of data in any form. Ten years from now, who knows how we will be storing data?

The federal HIPPA laws concerning the disclosure of patient medical data in ANY form whatsoever. Even talking with a patient where others can overhear the conversation is prohibited. Shouldn't we make our financial data just as secure as our medical data?

4. Utah Native
Farmington, UT,
April 23, 2014

It's not always negligence. The sad reality is this could happen to anyone, no matter how careful they are with personal information --- it just takes a careless or vengeful employee to wreak havoc with one's credit score. This year I spent my wedding anniversary in court listening to a judge read off 20 felony counts of fraud against an identity thief who bought my information (name, SSN, birthdate, etc.) from a disgruntled ex-employee of a Davis County pharmacy. The going price was $10 per name. For $10 the thief tapped into my excellent credit and racked up tens of thousands in my name, as well as in the names of others whose information he had purchased.