Data privacy Part I: Complying with new regulations to keep confidential personal information protected

Issue February 2010

by Rodney S. Dowell, Esq.
Director, Law Office Management Assistance Program

As of March 1, 2010, Mass. G.L. ch. 93H and 201 CMR 17.00 will be enforced to protect confidential consumer information. The governing regulations issued by the Massachusetts Office of Consumer Affairs impose obligations on businesses, obviously including law offices, to protect Massachusetts residents from data breaches. The regulations were precipitated by the highly publicized thefts of personal information from customers of the TJX Companies and Hannaford Supermarkets.

The statute and regulations are intended to protect the "personal information" of Massachusetts residents when used by any business (in any jurisdiction), including law offices. "Personal information" includes a Massachusetts resident's first and last name in combination with any one or more of the following: (i) a Social Security number, (ii) a driver's license number or state-issued identification card number, and (iii) a credit or debit card or other financial account number, regardless of whether a PIN or security code is included.

This personal information must be protected as a hard-copy document or an electronic document. Compliance with the regulations will be judged on a case-by-case basis, taking into consideration the size of the business, the resources available to the business, the amount of data stored by the business and the need for privacy and security of the client/customer/employee data.

If the Massachusetts Attorney General's Office believes that an entity did not comply with the security requirements, it may seek injunctive relief and/or recover civil fines of up to $5,000 and attorneys' fees and costs. In addition to potential fines and costs, any office found in noncompliance will suffer from distress of having to explain to its clients why it was not in compliance with a regulation that was intended to protect its clients' confidential information. Such a failure would be an embarrassing failure for a law office.

Most law firms should assume that the regulations apply, or will apply, to the firm, and take appropriate actions to comply with the statute. Although there may be ways to reduce the scope of work needed to comply with the regulations, such as (1) limiting the amount of personal information gathered and keeping such information only as long as needed for legitimate business purposes or to comply with state and federal law; and (2) by limiting or prohibiting the use of portable electronic devices to carry protected data, there is a limit to the feasibility of either solution in a modern law office.

The following initial steps should be taken to ensure compliance with the regulations. Each entity or law firm should read the statute and regulations and independently determine what is required for full compliance.

Step one: Identification of personal information

Compliance with the regulations will require that each law office take action to secure protected data, both hard copy and electronic. An effective compliance plan will require that the law firm identify all records in its possession that contain personal information, both electronic and paper, and all portable electronic storage media, including laptops, USB flash drives, portable hard drives, etc., that contain personal information. In addition, the law firm must identify all third-party vendors that either hold or have access to protected data on behalf of the law firm. The process of identifying records which are protected by the regulations will give the law office a much better idea of the scope of work needed for compliance with the regulations. In addition, it will allow the firm to begin the second necessary step for compliance.

Step two: Create a written information security program

The firm must adopt a written policy of privacy and security practices, termed a "written information security program" ("WISP") for handling protected data. An excellent guide is available to help create a WISP on the Massachusetts Office of Consumer Affairs and Business Web site: Under the tab "For Business," look for "Identity Theft." You can also find a compliance checklist to ensure that the WISP is fully compliant with the regulatory requirements. Your WISP will require the firm to set forth the reasonably foreseeable internal and external risks, the likelihood and potential damage from those threats, an evaluation of the sufficiency of existing policies to protect the confidential information, and a determination of how to minimize the risk consistent with the requirements of 201 CMR 17.00.

In light of the flexibility provided within the regulations for companies of different sizes and facing different risks, there is no cut and paste WISP that will work for every law firm. Therefore, a law firm should anticipate that this step will be time consuming, but once it is completed, a strong foundation will exist for future compliance efforts. It is important to note that the WISP will need to be reviewed annually to ensure that the risks have not changed and the security efforts are still effective.

In addition, each firm also must realize that the WISP will require an evaluation of third-party service providers that may hold confidential information on behalf of the firm. Examples of third-party service providers would be a payroll company or IT consultant. Review the compliance checklist to ensure that you have included all critical aspects of the WISP.

It is not enough to simply create a WISP; you must now implement the WISP to preserve all protected information contained in both hard documents and electronic data pursuant to the WISP. Now the firm will have to implement the appropriate measures to protect the data, and it must then make all employees aware of the written policy and train them on how to comply with the WISP.

Look for Data Privacy Part II in next month's Lawyers Journal. Part II will focus on implementation strategies.