The First Steps to Comply With M.G.L. c. 93H (The Data Privacy Act)

Have you taken the basic steps to comply with M.G.L. C. 93H and 201 CMR 17.00, the Data Privacy Act? We have posted a number of times on this subject, but I thought we could get back to the basics. So, let us start with defining what are we protecting? And, what are the initial steps we must take to comply? First, the Act requires that law offices protect the “personal information” (“PI”) of Massachusetts residents. PI is defined as a Massachusetts resident’s first and last name in combination with any one or more of the following: (i) a social security number, (ii) a driver’s license number or state issued identification card number, and (iii) a credit or debit card or other financial account number regardless of whether a PIN or security code is included. This personal information must be protected as pursuant to the standards mandated by the Act whether the PI is kept as a hard-copy document or an electronic document stored on a portable device or transmitted over the internet.

Ultimately, compliance with the regulations will be judged on a case by case basis, taking into consideration the size of the business, the resources available to the business, the amount of data stored by the business, and the need for privacy and security of the client/customer/employee data. If the Massachusetts Attorney General’s Office believes that an entity did not comply with the security requirements it may seek injunctive relief and/or recover civil fines of up to $5,000.00, and attorneys’ fees and costs. In addition to potential fines and costs any office found in non-compliance will suffer from distress of having to explain to its clients why it was not in compliance with a regulation that was intended to protect its clients’ confidential information. Such a failure would be an embarrassing failure for a law office.

Although the easiest way to comply with the Data Privacy Act is by limiting the amount of personal information gathered or that is kept as either a paper document or that is stored on portable electronic devices to carry protected data. However, this simple solution is probably not feasible for a modern law office. So, here are the first steps that a law firm should take to ensure compliance with the Act.

STEP ONE: CONDUCT AN AUDIT TO IDENTIFY PERSONAL INFORMATION

Compliance with the Act requires that each law office take action to secure protected data, both hard copy and electronic. An effective compliance plan will require that the law firm identify all records in its possession that contain personal information, both electronic and paper, and all portable electronic storage media, including laptops, USB flash drives, portable hard drives, etc., that contain personal information. In addition, the law firm must identify all third-party vendors that either hold or have access to protected data on behalf of the law firm. The process of identifying records which are protected by the regulations will give the law office a much better idea of the scope of work needed for compliance with the regulations. In addition, it will allow the firm to begin the second necessary step for compliance.

STEP TWO: CREATE A WRITTEN INFORMATION SECURITY PROGRAM

The firm must adopt a written policy of privacy and security practices, termed a “written information security program” (“WISP”) for handling protected data. A guide is available to help create a “written information security program” on the Massachusetts Office of Consumer Affairs and Business website, under the tab “For Business” tab and then look for “Identity Theft”. You can also find a compliance checklist to ensure that the WISP is fully compliant with the regulatory requirements. Your WISP will require the firm to set forth the reasonably foreseeable internal and external risks, the likelihood and potential damage from those threats, an evaluation of the sufficiency of existing policies to protect the confidential information, and a determination of how to minimize the risk consistent with the requirements of 201 CMR 17.00. In light of the flexibility provided within the regulations for companies of different sizes and facing different risks, there is no cut and paste WISP that will work for every law firm. Therefore, a law firm should anticipate that this step will be both time consuming, but once it is completed, a strong foundation will exist for future compliance efforts. It is important to note that the WISP will need to be reviewed annually to ensure that the risks have not changed and the security efforts are still effective. In addition, each firm also must realize that the WISP will require an evaluation of third-party service providers that may hold confidential information on behalf of the firm. Examples of third-party service providers would be a payroll company or IT consultant. Review the compliance checklist to ensure that you have included all critical aspects of the WISP.

It is not enough to simply create a WISP; you must now implement the WISP to protect all protected information contained in both hard documents and electronic data pursuant to the WISP. Now the firm will have to implement the appropriate measures to protect the data, and it must then make all employees aware of the written policy and train them on how to comply with the WISP. We will cover strategies for implementing appropriate security measures in the future.