Cybersecurity and Identity Theft–Sometimes it Really Is a Stradivari Violin

Huguette Clark died at the age of 104 in a hospital under a pseudonym, divorced, childless, and a recluse, belying her background. When she moved into the hospital voluntarily more than 20 years before her death, Huguette left behind more than $50 mil. in New York Fifth Avenue apartments. A 52-acre estate in Connecticut, inherited from her father, U.S. Senator and industrialist, William A. Clark, had remained vacant for nearly 60 years, twenty of them while Huguette resided in New York hospitals.

Sad as it is, this story would not have caught my eye, but for its music connection. In 1946, Huguette’s mother, the second wife (and former ward) of William A. Clark, commissioned the Paganini Quartet. She also acquired four Stradivarius instruments for the quartet’s use. Huguette’s half-brother from her father’s first marriage, William A. Clark, Jr., formed the Los Angeles Philharmonic.

But the most astonishing musical connection to Huguette Clark came in 2014, three years after her death. While cleaning out a closet in one of Huguette’s Fifth Avenue apartments, someone found a violin bearing the Stradivari label tucked away, untouched for more than 25 years.

Probably not a day goes by when a violin dealer doesn’t see an old violin with a Stradivari label someone found in a closet or attic. Those dealers usually have to crush the finder’s hope for sudden wealth by informing them that the old violin is a cheap imitation.

However, the violin found in Huguette’s closet was an authentic Stradivari violin. And, it wasn’t just any Stradivari. It was the 1731 “Kreutzer” Strad, named after former owner violinist Rodolphe Kreutzer and was estimated to be worth as much as $10 million. [1]  

First Assume that the Strad is a Fake or Your Personal Information is at Risk

Reading about Huguette and the one-in-a-million real Strad, I recalled a recent experience in my own life. I received a telephone message no one wants–my bank manager was calling. She said it was important and I should call her as soon as possible.

Unfortunately, the message came late on a Friday afternoon, and I did not receive it until after the bank had closed for the weekend. I checked my online banking records, and everything appeared okay. Yet, the tone of the manager’s message kept me on edge all weekend.

When I called the bank first thing on Monday morning, it seemed my concerns were justified. Someone I did not know had called the bank headquarters, and she had personal information about me, including one of my law firm’s bank account numbers.

The bank reported that she had asked who had signature authority to sign on the bank account and had even given a name and alleged phone number. I was sure that this call hadn’t come from someone I knew, but I still asked for all information. The manager promised to send it to me.

My mind raced back to an experience more than 20 years ago when, after stealing checks from the U.S. mail, someone fraudulently cashed at least 25 checks on my account at a different bank. Cleaning that incident up had taken many hours, as I filed police reports and signed dozens of fraud affidavits with the bank. I wondered if this recent caller was trying to get the names of authorized signers so she could commit a similar offense.

Defending Against Potential Identity Theft

Had this been a fake Strad found in my attic, there wouldn’t have been a risk of collateral damage. However, I knew that someone had my bank account information and that there was the possibility that information could be misused.

Breathing a sigh of relief when the bank told me that it had not given out any information, the manager and I went into defensive mode. We strategized about how we would address the perceived risk. I was expecting some incoming wire transfers, but a freeze on outgoing activity was possible. After that, we would set up a new bank account number.

I hung up from the call with the bank manager grateful that my bank had exercised such caution. Modern protocols had identified and prevented what could have been an attempt at identity theft or compromise of my bank account.

Meanwhile, I thought who might have had access to my bank account number. Other than me, my financial person, and the bank, only individuals who had sent me wires or received checks from that account. The account was only a few months old, and I hadn’t written many checks, so that was a small group of businesses, including some of my clients.

Driven to protect my clients, I reached out first to clients who had sent me wire transfers. I made them aware of the situation and suggested that they confirm that their data was secure, lest they, too, become victims.

Determining the Source of the Potential Data Breach

Later that morning, I received the name (I’ll call her Ms. Smith) and phone number of the woman who had called my bank. I did a reverse lookup on the phone number and saw that it belonged to a vendor with whom I do business.

The vendor’s website appeared to list all employees, but none named Smith. The caller had left a phone extension, but it had three digits. The extensions on the vendor’s website had four digits, making me more suspicious that the caller might not be not affiliated with that vendor.

Concerned that the vendor either could have a rogue employee or that someone could be contacting other of the vendor’s customers, I decided to call the chief financial officer (CFO). When I told my story, she, too, expressed concern. After all, data breaches and identity theft have become more common.

When I shared the name the caller to the bank had left, the CFO gave pause. She shared that the vendor has a part-time employee with the last name Smith who comes in for a few hours each week to help with data entry and other matters. Ms. Smith was in the office, so the CFO suggested we bring her into the call.

After some discussion, Ms. Smith admitted that she had called my bank. She had received a check from my account and wanted to verify some information she needed to put into the vendor's system. Ms. Smith decided the best way to get that information was to call my bank and ask for the necessary information.

Like Huguette’s Strad, mine was one of the few violins found in a closet that wasn’t a fake. The CFO assured me that Ms. Smith had been working for them for more than 25 years. She was trustworthy and that my data was safe. Although I had experienced previous identity theft, this time, my investigation had paid off in showing I was not at risk.

An Ounce of Prevention

This story ends with my telling the bank to lift the hold on my account and that I would not need a new account. I also had to tell my clients to ignore my email expressing concerns that their systems might not be secure.

It was inconvenient and slightly embarrassing, but I’m still glad I took the following steps to protect my information and that of those with whom I do business:

1. Prevent Loss. In my case, that involved blocking outgoing amounts from my bank account. For a password compromise, it might involve changing a password.
2. Identify Vulnerabilities. I asked the bank for more information about the caller. Since the biggest concern was that the call had my bank account number, I evaluated access inside of my organization. I also determined who outside of my organization could have obtained the account number, whether from wire transfer instructions or a check.
3. Block Vulnerabilities. While I waited for the bank to provide more information, I contacted those inside of my organization to determine if anyone’s information had been compromised. I also began to notify those parties that there could be a vulnerability in their systems, starting with the most likely.
4. Longer Term Security Solution. In my case, it would have been a new bank account. Had I identified flaws in my internal security, it could also have involved new data protection protocols, new passwords, or other changes.

Twenty-First Century Policies and Procedures

In my situation, the potential data breach didn’t arise out of a weak password, outdated virus or malware software, or a computer hack. It arose out of outdated policies and procedures

What Ms. Smith did is exactly what I would have done if I had needed information in the days before every business had a website and Google was a household word. The information the vendor wanted was available on a public website. However, Ms. Smith's use of these 20th century data verification techniques (i.e. a telephone call) in a 21st century data environment appeared suspicious. It created concerns about security and cost valuable time for me and the bank personnel.

The lesson from this is to stay up to date. When we talk about data security, our minds move to computers, cloud systems, and smartphones. We seldom think about our handbooks and protocols.

We need complex passwords and updated virus and malware protection. But we also need to keep our policies and procedures and employee training current so they reflect the latest technological advances.

© 2018 by Elizabeth A. Whitman

DISCLAIMER: The content of this blog is for informational purposes only and does not provide legal advice to any person. No one should take any action regarding the information contained in this blog without first seeking the advice of an attorney. Neither reading this blog nor communication with Whitman Legal Solutions, LLC or Elizabeth A. Whitman creates an attorney-client relationship. No attorney-client relationship will exist with Whitman Legal Solutions, LLC or any attorney affiliated with it unless and until a written contract is signed by all parties and any conditions in such contract are fully satisfied.

[1] Rodolphe Kreutzer was a French violinist, conductor, and composer in the late 18th and early 19th centuries. Although he composed about 40 operas and 19 violin concertos, he is best known today for his 42 Etudes, which are among the standard repertoire. Beethoven’s challenging “Kreutzer” violin sonata was dedicated to Kreutzer after Beethoven had a falling out with the violinist to whom it originally was dedicated. Kreutzer, however, never performed the work and reputedly was not particularly fond of Beethoven’s compositions generally.