SJC approves interim guidelines for protecting personal identifying data

Issue April 2010

by Jared D. Correia

In this third and final installment on the data privacy regime in Massachusetts, we consider the protection of sensitive data as it is submitted to the courts. Beyond the data that they maintain, and that they destroy, attorneys also have obligations in the way they submit documents to the courts.

On Jan. 17, 2009, the Massachusetts Supreme Judicial Court announced that it had approved Interim Guidelines for the Protection of Personal Identifying Data (PID) in Publicly Accessible Court Documents. The guidelines became effective Sept. 1, 2009.

In light of a number of high-profile data breach cases, it has become an abiding concern of the Commonwealth that its residents' private information is protected. Since there are statutes and regulations in place mandating the additional protections of specified resident information maintained by businesses, perhaps it is not all that surprising, following closely on the heels of the adoption of those laws, that the court system would adopt measures for the protection of private data appearing in court filings, which often become public domain. Data privacy protection respecting publicly accessible court documents is a higher priority, it could be argued, than the protection of private data residing on business computers, because the publicly accessible information accessible through the courts is veritably handed to potential criminals, without any need for a breaching action.

It would be neglectful of the court system, and the legal community at large, to allow information potentially usable for identity to float in public repositories.

But the courts are overburdened, and could not spare the staff required to redact PID from submitted court documents, even if it were fair to ask them to do so.

The redaction of PID under the guidelines, then, becomes the affirmative duty of the attorney (and others). That was the simple relaying of the basics directive of the guidelines, but a large question remains:

What else do you need to know?

  • The guidelines apply to all cases in all Massachusetts courts with respect to documents that are (or become, once filed), publicly accessible.
  • Henceforth, "the filer" (i.e., you) should delete or redact (that is, white out, black out or  omit), to the last four digits, PID that includes the familiar Chapter 93H data sets (Social Security number, financial account number, state-issued identification number) plus taxpayer identification and passport numbers. A person's mother's maiden name, identified as such, should also be deleted, to the first initial of the maiden name. (Thus, Wilma Slaghoople Flintstone becomes Wilma S. Flintstone, providing for her a Harry Truman-style cover.)
  • Any deletions made are to be tagged with the following information: filer's name, the date, the phrase "PID guidelines."
  • Exceptions (labeled "exemptions," in the guidelines) are five, as follows: (1) when full inclusion is required by law or rule; (2) for certain PID in criminal or youthful offender cases; (3) when the filer reasonably believes that complete information must be included, in order to resolve a particular issue, or for the identification of a person; (4) for transcripts of court proceedings; (5) for documents that are produced directly by non-parties in response to court orders, or subpoenas.
  • Clerks of court are directed to encourage compliance with the interim guidelines, but will not be reviewing documents for compliance, nor will they be rejecting documents for non-compliance.

In addition to the preceding main points, there are also some interesting, subsidiary points arising in the guidelines that warrant your notice:

  • The guidelines apply to both paper and electronic filings.
  • "Filer" is broadly defined within the guidelines, and includes, by way of example, police officers applying for search warrants and amici curiae.
  • Filers must maintain and make available unredacted copies of redacted documents (exhibits, but not, for example, drafted motions, or other documents drafted specifically for filing with the courts, which should be drafted to avoid inclusion of complete personal identifying data sets).
  • The guidelines introduce specific additional mandates for appellate court filings, since those documents become more widely available than trial court documents.

The adoption of these interim guidelines, and, following commentary, the likely adoption of final guidelines, certainly does make for the creation of further administrative burdens for the state's attorneys.

The protection of resident information against identity theft is, without question, a legitimate aim of the state, and is to the benefit of everyone living in Massachusetts, including attorneys. Furthermore, it is best practice, and a good business decision, to remove such private information from documents that will become publicly accessible. You don't want to be that guy or gal who is remembered as having been careless enough to lay your client's Social Security number bare for the world to see. But if you wish to neglect your marketing, or are not feeling particularly altruistic, think of this: this will not be an option much longer.

True compliance is about being proactive. You want to be complying already, or, at the very least, be ready to comply, when an effective date has been reached. Scrambling at the last second will give rise to significant errors and potential liability. If these guidelines affect your practice, employ compliance measures - including administrative checkpoints - now, based on the prevailing form of the regulations, then tweak your systems as needed, as you track any changes made in moving toward a final version of the guidelines.