by Rodney S. Dowell, Esq.
Director, Law Office Management Assistance Program
As of March 1, 2010, Mass. G.L. ch. 93H and 201 CMR 17.00 will
be enforced to protect confidential consumer information. The
governing regulations issued by the Massachusetts Office of
Consumer Affairs impose obligations on businesses, obviously
including law offices, to protect Massachusetts residents from data
breaches. The regulations were precipitated by the highly
publicized thefts of personal information from customers of the TJX
Companies and Hannaford Supermarkets.
The statute and regulations are intended to protect the
"personal information" of Massachusetts residents when used by any
business (in any jurisdiction), including law offices. "Personal
information" includes a Massachusetts resident's first and last
name in combination with any one or more of the following: (i) a
Social Security number, (ii) a driver's license number or
state-issued identification card number, and (iii) a credit or
debit card or other financial account number, regardless of whether
a PIN or security code is included.
This personal information must be protected as a hard-copy
document or an electronic document. Compliance with the regulations
will be judged on a case-by-case basis, taking into consideration
the size of the business, the resources available to the business,
the amount of data stored by the business and the need for privacy
and security of the client/customer/employee data.
If the Massachusetts Attorney General's Office believes that an
entity did not comply with the security requirements, it may seek
injunctive relief and/or recover civil fines of up to $5,000 and
attorneys' fees and costs. In addition to potential fines and
costs, any office found in noncompliance will suffer from distress
of having to explain to its clients why it was not in compliance
with a regulation that was intended to protect its clients'
confidential information. Such a failure would be an embarrassing
failure for a law office.
Most law firms should assume that the regulations apply, or will
apply, to the firm, and take appropriate actions to comply with the
statute. Although there may be ways to reduce the scope of work
needed to comply with the regulations, such as (1) limiting the
amount of personal information gathered and keeping such
information only as long as needed for legitimate business purposes
or to comply with state and federal law; and (2) by limiting or
prohibiting the use of portable electronic devices to carry
protected data, there is a limit to the feasibility of either
solution in a modern law office.
The following initial steps should be taken to ensure compliance
with the regulations. Each entity or law firm should read the
statute and regulations and independently determine what is
required for full compliance.
Step one: Identification of personal
information
Compliance with the regulations will require that each law
office take action to secure protected data, both hard copy and
electronic. An effective compliance plan will require that the law
firm identify all records in its possession that contain personal
information, both electronic and paper, and all portable electronic
storage media, including laptops, USB flash drives, portable hard
drives, etc., that contain personal information. In addition, the
law firm must identify all third-party vendors that either hold or
have access to protected data on behalf of the law firm. The
process of identifying records which are protected by the
regulations will give the law office a much better idea of the
scope of work needed for compliance with the regulations. In
addition, it will allow the firm to begin the second necessary step
for compliance.
Step two: Create a written information security
program
The firm must adopt a written policy of privacy and security
practices, termed a "written information security program" ("WISP")
for handling protected data. An excellent guide is available to
help create a WISP on the Massachusetts Office of Consumer Affairs
and Business Web site: Under the tab "For Business," look for
"Identity Theft." You can also find a compliance checklist to
ensure that the WISP is fully compliant with the regulatory
requirements. Your WISP will require the firm to set forth the
reasonably foreseeable internal and external risks, the likelihood
and potential damage from those threats, an evaluation of the
sufficiency of existing policies to protect the confidential
information, and a determination of how to minimize the risk
consistent with the requirements of 201 CMR 17.00.
In light of the flexibility provided within the regulations for
companies of different sizes and facing different risks, there is
no cut and paste WISP that will work for every law firm. Therefore,
a law firm should anticipate that this step will be time consuming,
but once it is completed, a strong foundation will exist for future
compliance efforts. It is important to note that the WISP will need
to be reviewed annually to ensure that the risks have not changed
and the security efforts are still effective.
In addition, each firm also must realize that the WISP will
require an evaluation of third-party service providers that may
hold confidential information on behalf of the firm. Examples of
third-party service providers would be a payroll company or IT
consultant. Review the compliance checklist to ensure that you have
included all critical aspects of the WISP.
It is not enough to simply create a WISP; you must now implement
the WISP to preserve all protected information contained in both
hard documents and electronic data pursuant to the WISP. Now the
firm will have to implement the appropriate measures to protect the
data, and it must then make all employees aware of the written
policy and train them on how to comply with the WISP.
Look for Data Privacy Part II in next month's Lawyers
Journal. Part II will focus on implementation strategies.