With serious apologies to Jimi Hendrix and his Experience, for paraphrasing, in a rather ridiculous, but alliterative, at least, manner, such a great song, I am nonetheless hopeful that my cheesiness may be what draws your attention to this post.
I have not yet taken the opportunity to post on the Massachusetts Data Privacy Regime since the law became effective, on March 1, 2010. (Yes, just in case you were wondering, the law is now in effect. We have moved from the theoretical to the practical. If you are not currently in compliance with the Massachusetts data privacy laws, you should become compliant forthwith. For more information on the Massachusetts data privacy laws and regulations, you may take a trip down my memory lane: here, here, here, here, here, here, here, here, here and here, in reverse chronological order.) However, I do now have some impetus to write again on this topic, having been asked to, and having participated in, a CLE program on the subject, which CLE program was recently put on by Massachusetts Lawyers Weekly. Two points here, which was the deciding spread in a great collegiate basketball national championship game the other night:
(1) You heard me right. Lawyers Weekly now provides CLE programming. Yup. Says so right here at their CLE homepage. The fact of more options is almost always advantageous to the consumer, in this case, the attorney consumer of CLE programming in Massachusetts. Adding to the mix of MCLE, the various bar associations and miscellaneous providers, the producer of the flagship legal newspaper publication for Massachusetts is attempting to push the boundaries of its current kingdom. Although Lawyers Weekly has begun to brand itself as a CLE provider, the fact has likely not yet made deep penetration into the legal community in Massachusetts. Let this serve, then, as notice of the fact. If the presentation that I participated in is any indication, the future programs emanating from Lawyers Weekly CLE will also feature timely topics, excellent presenters and thoughtful presentations. For a list of upcoming Lawyers Weekly CLE presentations, visit the upcoming program schedule page.
(2) Now, for the program that I participated in. On Friday, March 25th, 2010, I was a member of the faculty for the “New Security Laws, Regulations and Red Flag Rules: Everything Lawyers Need to Know” program that took place from 1 pm to 5 pm. I was joined on the faculty by C. Max Perlman of Hirsch Roberts Weinstein LLP, Tom Catalini, Vice President, Technology at William Gallagher Associates and Jason Egan, Deputy General Counsel at the Office of Consumer Affairs and Business Regulation.
I provided an overview of what I call the Massachusetts Data Privacy Regime, covered the new SJC regulations respecting the submission of personal identifying data in court documents and touched a bit on the FTC’s Red Flag Rules, which will not be effective until June 1, 2010, and which have been held not to apply to attorneys anyway–that third part was a short segment. Max discussed the basic protocol for WISP implementation, offered a playbook for response to breach and provided a perspective on enforcement issues. Tom discussed WISP implementation from the IT perspective, and covered, generally, practical IT considerations for compliance. Jason provided insight into the OCABR perspective, to the extent that he is able, that is, without answering too specifically, or to direct hypotheticals.
I always make it a point, even when I am presenting at CLE panels, to listen to what everyone else has to say, “everyone else” being the presenters and attendees, the former group being, usually, very knowledgeable, and the latter group asking, usually, very good questions. I never fail, in taking this tack, to learn something, at every program I go to. This presentation was no exception.
When others spoke, I took my own sets of notes, and relay now, and below, the most pertinent observations made:
-A resident of Massachusetts, for purposes of the statutes and regulations, is one who makes his primary residence in the state of Massachusetts.
-Remember to restrict the use of, and to monitor, fax machines and copy machines, many of which machines now have memory capacity that can be accessed by savvy persons seeking to utilize the information on such devices for purposes of identity theft.
-When you’re recycling paper, for notes–know what’s on the back.
-Utilize a binder, that includes your WISP, policies for data privacy protection (including for disciplinary measures for employees flouting instituted WISP protections), employee acknowledgments and contracts with third party service providers.
-Third party vendors are required to agree to a contract term, essentially stating that they will comply with Massachusetts data privacy laws and regulations with respect to their accessing of your protected client information. If a vendor refuses to sign off on such a contract term, the only correct response under the existing rules is to cease doing business with that vendor, and to find another vendor that can provide a similar service. Practically speaking, however, it is sometimes nearly impossible, or most nearly nonsensical, to forgo the use of certain well-respected and long-tenured service providers, which are too large, frankly, to respond to individuals’ requests (read: Outlook, Google, e.g.). The best that can be done in that case is to include in your WISP, and to archive the paper trail backing that recordation of, the steps that you have taken, and the research that you have done, to create your fair certainty that, although the service provider may not sign a contract provision, the service provision in question is robust enough and fairly designed as to be capable, in fact, of protecting your statutorily-defined prot
ected information from identity theft; of course, these latter suggestions do not represent compliance under the law.
-Be exhaustive in attempting to uncover your breach points, when inventorying your systems for creation of your WISP. Consider the information available in a notary book laid upon a secretary’s desk, or visible on a computer screen via window by pedestrians crossing at a busy intersection, by way of example.
-When implementing IT protections for data security, work backwards from the most restrictive protocols.
-Do not use defaults for password creation, as default passwords are the easiest to crack; set parameters for password creation.
-Receipt of email is maintenance of information, unless the email containing the information is wiped completely from your device(s). At the very least, you should be deleting your email trash folder on a regular basis.
-Consider unique ways of maintaining employee awareness concerning data privacy protection issues. Everyone is inundated by emails every day. Why not try public service announcement-style posters by the printer? Or, humorous YouTube videos?
-The better the system you apply, the better you can track breaches, the more fully you can report to the OCABR and the Attorney General’s Office.
-If a breach occurs, conduct a post-incident review.
– In the event of a breach, discrepancies between your planned protocol and your actual steps taken may be problematic in the eyes of enforcement agents. Make sure that you actually apply the procedures outlined in your WISP, should a breach occur.
. . .
In addition to my observations, relayed above, Max Perlman has been generous enough to allow me to link out to his two fantastic Powerpoints, produced for the program. Those Powerpoint presentations cover “The WISP–Implementing Physical, Administrative and Technical Safeguards: The Basic Program” and “Playbook for Reacting to a Data Security Breach”, both of which slide sets are available at this drop site.