There has been some, but perhaps not enough, recent consternation and handwringing over the Massachusetts Data Protection Act, passed in 2007, and set to become effectual, after a few false starts, on January 1, 2010.
The Act spawning, among other things, the Massachusetts General Law Chapter 93H, 201 Code of Massachusetts Regulations 17 and guidance pieces issued and other public information made available from the state Office of Consumer Affairs and Business Regulation has created the coming Massachusetts date protection regime. We have covered the new regime, and the importance of your compliance, here previously at the LOMAP blog, specifically here, here and here. Underscoring these posts is the fact that you must be paying attention: the data breach law applies to all business, including law firms. Not only does the law affect Massachusetts businesses, it affects out-of-state businesses, when the record data of Massachusetts residents is breached. (What I am implicitly peddling: Don’t be boo-hooing, comply now!) There are other aspects of the statutes, regulations and guidance that are clearer; but, there are also those parts that are not so clear. There are some difficulties in reading here, the tea leaves; in particular: the statute suffers from a lack of definition (important terms, including “maintain”, “store”, “own” and “license” go undefined) and we are talking about a statute attempting to govern the uses of technology, which statute has been written by a bunch of lawyers, known technophobes. All this means that we can only make our best guesses as to what the darker portions of the law means, until the courts further define the rules. And, the trick will be to make your best efforts at compliance, in the hope that you may avoid breach, and not be one of those sacrificial lambs drug before the court to answer for the breach in the search for definition. Keep in mind that those violating the statute will likely be treated better if they have made reasonable attempts to comply, as against those who have made no, or unreasonable, attempts.
This is not to say that I don’t think the statute is a good thing. It is certainly important to protect the privacy of residents’ information, and to have the government standing guard to make certain that residents’ expectations for privacy of their sensitive data are reasonable. However, no legislation is perfect, and loopholes crawl over the best of intentions. So, in due course, we will analyze the thornier parts of the rules from time to time here at the Blog. You’ll not, then, find a general primer of the new regime now. If you’re looking for that, hit the MBA’s “Latest in the Law” Conference on May 13, 2009, and watch Alan Klevan, Mark Kupsc and I present on the topic.
In the meantime, you’re stuck with more focused analysis, stemming from my appearance on Wednesday night at a meeting of Leanna Hamill and Alexis Levitt’s Women Attorneys Network of the South Shore (WANSS). (PLUG: WANSS, in addition to having a cool-sounding acronym, is also a great (and very active) networking group for women attorneys on the South Shore; plus, they get Whole Foods for their meetings, which is pretty baller.) So, at the May 6 WANSS meeting, I was inundated (well, not really, but it sounds better for dramatic effect) with questions on what the new data privacy regime means for paper files. I must admit that I was sort of taken aback, because nearly the entirety of the statute deals with electronic matter and the protection of electronic data; and, this is all anybody seems to talk about it. So, I went home, and I puzzled and puzzled ‘til my puzzler was sore, and I looked at the statutes, regulations and guidance. And then I looked at them again. And, come to find out, there are few, yet still some, directives respecting what to do with paper files when the new regime becomes effective and enforceable on January 1, 2010.
With respect to Massachusetts General Law Chapter 93H, the Section 1 definition of “data”, as in that data that would include personal information to be protected, is broader than perhaps expected, and goes beyond applicability to solely electronic matter, in providing that “data” is “any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics”. That definition is pretty darn broad, and would certainly include paper files. But, this definition, and following references to data, are the only places within that statute that paper files could be said to be implicated. Still, any references to paper files, in both the statute and the code, must not be far-reaching, given the focus of the laws. For example, provisions for wireless transmission of documents and documents accessed on PDAs necessarily refer to electronic matter. (Interestingly, the CMRs switch things up a bit. The same definition there does not apply to “data”, but to a “record”, or to “records”, instead; the effect of such a switching may be a topic for another day.)
The CMRs implicate paper files in a few different ways; and, the regulations provide some more explicit guidance, buttressing and expanding upon the statutory language, as CMRs should do. In section 17.03, the regulations indicate that a Written Information Security Program (WISP) should include physical safeguards for the protection of personal information. This is aimed, partly, after getting businesses to establish protocols for the safeguarding of paper files, as is more explicitly laid out later in 17.03, where the regulations indicate that businesses should (unless the business treats all records as containing personal information) identify all records (and recordholding media), including paper files, that are used to store personal information. The meat of the Section 17.03 requirements for paper files appears when reference is made to the requirement to place “reasonable restrictions upon physical access to records” (which reasonable restrictions should develop into a written procedure appearing in the company WISP). Storage of records, the section summarizes, should limit physical access, and paper files should kept in “locked facilities, storage areas or containers”.
The OCABR, in addition to the CMR, contributes a Compliance Checklist, which checklist is, in essence, a series of questions, aimed after a determination of how well you are complying with the personal information protection regime. Although this guidance does not have the force of law or regulation, it is valuable for assisting businesspersons in determining how to treat paper files, mostly because here is where you will the most blatant references to paper files. As I intimate, several of the checklist questions reference what to do about paper files. In summary, here is what you need to know that they are getting after (and all of the checklist questions are based on the law and regulations): Make sure you identify which paper files contain personal information to be protected, or treat all paper files as containing personal information to be protected. Make sure you determine reasonably foreseeable internal and external risks to paper files. Make sure that physical safeguards are in place respecting access to paper files containing personal information. Make sure those safeguards are recorded in your WISP. Make sure that the implementation of physical safeguards for personal information in paper files includes the storage of those files in locked facilities, storage areas or containers.
Missing from, or undercovered in, a number of discussions I have come across on this topic has been analysis of the companion statute, Massachusetts General Law Chapter 93I, which provides minimum standards for the proper disposal of records containing personal information. This will likely come to be, or should likely be, the largest concern for attorneys with respect to their paper files holding personal information (although the statute refers to destruction of both electronic and paper matter). In addition to providing guidance for the proper destruction of files, the statute also subtly expands the personal information that is subject to the law, adding to the name-plus-one capture of 93H to include name-plus-any biometric indicator, as a fourth protected category. 93I smartly provides two destruction protocols: one for electronic matter and one for paper matter. For paper files, the statute indicates the ways by which destruction is proper: “paper documents containing personal information shall be either redacted, burned, pulverized or shredded so that personal data cannot practicably be read or reconstructed.” Here is some pretty specific guidance, which is helpful; and, this is as it should be, since fees for violations are not more than $100 per data subject affected and up to $50,000 per incident of improper disposal. Coupled with fines of up to $5,000 per incident under 93H, we are not talking chump change here, either. This disposal statute is generally important to law firms disposing of paper files in due course; however, this becomes a larger issue the more files you are destroying, and could potentially affect those firms going paperless, and destroying mass amounts of paper files in the process.
Now that you have been thoroughly frightened, the question becomes: What can you do about it? And, a reading of the analysis above yields some best practice suggestions, as follows:
Treat all of your paper files as if each contains personal information subject to the statute.
(This is the easiest way to comply, and cuts down on the painstaking task of reviewing all of your files to determine which have, and which have not, personal information to be protected.)
Keep your paper files in file cabinets that are locked when not in use. Restrict access to those files only to those persons who have a compelling business interest for using those files.
(Although the regulations here are quite vague, and could be read to mean that it would be alright if you segregated your files by putting them in a plastic bag in the middle of your waiting room, best to segregate in a way that will actually help you stay out of trouble. Comply to the fullest extent possible.)
Dispose of paper files in accordance with the mandates of 93I.
And, as always, should you have any questions remaining respecting the new Massachusetts data protection regime, please do not hesitate to contact us here at LOMAP.