Archive for March, 2010

Letter to VA Board of Bar Examiners

I mailed the following letter to the Virginia Board of Bar Examiners on March 22, 2010, after receiving a letter with all of my sensitive information printed on a single sheet of paper.

Robert E. Glenn, President
Virginia Board of Bar Examiners
c/o Julie O’Kelly
2201 W. Broad Street, Suite 101
Richmond, VA 23220

Mr. Glenn:
I recently took the Virginia Bar Exam. I received a letter dated January 27, 2010 which contained instructions for the February exam. To my horror, I saw that the letter contained my full name, date of birth, social security number, school, MPRE score, results of my Character and Fitness Questionnaire, address, and email address on the form. This single piece of paper contains enough information for someone to impersonate me and commit identity theft. I count myself lucky that someone else didn’t check my mailbox the day this letter arrived.

I was sure that such an oversight was an isolated error, so I called the Board of Bar Examiners’ office to find out how a mistake like this could happen, to ask for a copy of the board’s privacy policy, and asked who changed my authorization to put my identity at such substantial risk.

I was informed that the mailing of my sensitive personal information in a single letter was deliberate, the Board has no privacy policy, and that the Board authorized this reckless use of my personal information, against my wishes and authorization.

This letter is to object to some of the Board’s more dangerous privacy practices as I currently understand them, and request additional information.
Please send a copy of the Board’s privacy policy. If one does not exist, please send the following information:

  • How long will the Board keep my personal information on file, and for what purposes?
  • Does the Board store my personal information on encrypted hard drives?
  • On how many computers does the Board store copies of my personal information, and where do the hard drives go when the computers are retired or replaced?
  • With what entities does the Board share my personal information, and under what conditions?
  • What security measures, if any, does the Board use to detect intrusion or improper use by employees?

I understand that the Board needs to verify personal information with examinees. However, even minor common-sense steps would substantially increase security. These may include:

  • Sending separate mailings, each of which lacks a full set of personal information.
  • Omit digits of the social security number.
  • Write and disseminate a Privacy Policy, and update your organization’s privacy practices.

I hope that the Board takes these matters seriously, and updates its privacy policies and practices immediately. The Board of Bar Examiners has violated my trust, and I fear that the Board will continue to put me at risk of identity theft and other harms.

I look forward to answers on these most pressing issues. I also stand ready to assist in your effort to improve your privacy practices.

Sincerely,
Aaron Titus

No Comments

How to Avoid a Legal 500 Error with your Privacy Policy

Note: A version of this article originally appeared on the Security Catalyst Blog

Avoid a Legal 500 Error. Debug your privacy policy.

Avoid a Legal 500 Error. Debug your privacy policy.

Legal Programming

By Aaron Titus

I’m an awesome programmer. The only thing keeping me from Python, PHP, or Ruby coding awesomeness is knowledge… and skill… and training… and, um practice. OK, I may not be a Ruby all-star, but I could be if I wanted to. Likewise, you can do anything for yourself that an attorney can do for you, including writing legal documents. Lawyers just happen to have knowledge, skill, and training. And if I wanted an iPhone app, I’d talk to a programmer. If I wanted legal documents, I’d talk to a lawyer.

In fact, lawyers are programmers. Writing legal documents—like privacy policies—is just like writing code.

Read the rest of this entry »

No Comments