by Jared D. Correia
In this third and final installment on the data privacy
regime in Massachusetts, we consider the protection of sensitive
data as it is submitted to the courts. Beyond the data that they
maintain, and that they destroy, attorneys also have obligations in
the way they submit documents to the courts.
On Jan. 17, 2009, the Massachusetts Supreme Judicial Court
announced that it had approved Interim Guidelines for the
Protection of Personal Identifying Data (PID) in Publicly
Accessible Court Documents. The guidelines became effective Sept.
1, 2009.
In light of a number of high-profile data breach cases, it has
become an abiding concern of the Commonwealth that its residents'
private information is protected. Since there are statutes and
regulations in place mandating the additional protections of
specified resident information maintained by businesses, perhaps it
is not all that surprising, following closely on the heels of the
adoption of those laws, that the court system would adopt measures
for the protection of private data appearing in court filings,
which often become public domain. Data privacy protection
respecting publicly accessible court documents is a higher
priority, it could be argued, than the protection of private data
residing on business computers, because the publicly accessible
information accessible through the courts is veritably handed to
potential criminals, without any need for a breaching action.
It would be neglectful of the court system, and the legal
community at large, to allow information potentially usable for
identity to float in public repositories.
But the courts are overburdened, and could not spare the staff
required to redact PID from submitted court documents, even if it
were fair to ask them to do so.
The redaction of PID under the guidelines, then, becomes the
affirmative duty of the attorney (and others). That was the simple
relaying of the basics directive of the guidelines, but a large
question remains:
What else do you need to know?
- The guidelines apply to all cases in all Massachusetts courts
with respect to documents that are (or become, once filed),
publicly accessible.
- Henceforth, "the filer" (i.e., you) should delete or redact
(that is, white out, black out or omit), to the last four
digits, PID that includes the familiar Chapter 93H data sets
(Social Security number, financial account number, state-issued
identification number) plus taxpayer identification and passport
numbers. A person's mother's maiden name, identified as such,
should also be deleted, to the first initial of the maiden name.
(Thus, Wilma Slaghoople Flintstone becomes Wilma S. Flintstone,
providing for her a Harry Truman-style cover.)
- Any deletions made are to be tagged with the following
information: filer's name, the date, the phrase "PID
guidelines."
- Exceptions (labeled "exemptions," in the guidelines) are five,
as follows: (1) when full inclusion is required by law or rule; (2)
for certain PID in criminal or youthful offender cases; (3) when
the filer reasonably believes that complete information must be
included, in order to resolve a particular issue, or for the
identification of a person; (4) for transcripts of court
proceedings; (5) for documents that are produced directly by
non-parties in response to court orders, or subpoenas.
- Clerks of court are directed to encourage compliance with the
interim guidelines, but will not be reviewing documents for
compliance, nor will they be rejecting documents for
non-compliance.
In addition to the preceding main points, there are also some
interesting, subsidiary points arising in the guidelines that
warrant your notice:
- The guidelines apply to both paper and electronic filings.
- "Filer" is broadly defined within the guidelines, and includes,
by way of example, police officers applying for search warrants and
amici curiae.
- Filers must maintain and make available unredacted copies of
redacted documents (exhibits, but not, for example, drafted
motions, or other documents drafted specifically for filing with
the courts, which should be drafted to avoid inclusion of complete
personal identifying data sets).
- The guidelines introduce specific additional mandates for
appellate court filings, since those documents become more widely
available than trial court documents.
The adoption of these interim guidelines, and, following
commentary, the likely adoption of final guidelines, certainly does
make for the creation of further administrative burdens for the
state's attorneys.
The protection of resident information against identity theft is,
without question, a legitimate aim of the state, and is to the
benefit of everyone living in Massachusetts, including attorneys.
Furthermore, it is best practice, and a good business decision, to
remove such private information from documents that will become
publicly accessible. You don't want to be that guy or gal who is
remembered as having been careless enough to lay your client's
Social Security number bare for the world to see. But if you wish
to neglect your marketing, or are not feeling particularly
altruistic, think of this: this will not be an option much
longer.
True compliance is about being proactive. You want to be complying
already, or, at the very least, be ready to comply, when an
effective date has been reached. Scrambling at the last second will
give rise to significant errors and potential liability. If these
guidelines affect your practice, employ compliance measures -
including administrative checkpoints - now, based on the prevailing
form of the regulations, then tweak your systems as needed, as you
track any changes made in moving toward a final version of the
guidelines.