Keeping Client (and employee) Data Safe

What attorneys must do to comply with the Massachusetts Data Breach Notification Law

The Massachusetts Data Breach Notification Law

G.L.c. 93H and 210 C.M.R. 17.00establish minimum standards for safeguarding personal information contained in paper and electronic records insure security and confidentiality of customer information in a manner fully consistent with industry standards.

G.L.c. 93H requires that:

every person who owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain, and monitor a comprehensive written information security program (“WISP”) for any records containing such personal information. 

Does G.L.c. 93H apply to lawyers?Yes. Anyone who keeps “personal information” must have WISP protocols in place no later than March 1, 2010 to: protect against unauthorized access to (or use of) such information in a way that may result in substantial harm or inconvenience to any consumer, andprotect against anticipated threats or hazards to the security or integrity of such information.

“Personal information” means:A Massachusetts resident's first name or initial and last name in combination with: a social security number, or a driver's license number, or a state-issued identification card number, ora financial account number, credit or debit card number, access code, personal identification number, ora password that would permit access to a resident’s financial account.

“Personal information” does not include public record information Information lawfully obtained from generally available public records is not considered “personal information” under G.L.c. 93H. (For example, title information, assessors records, or published telephone and address information (in print or on the internet)).

Your WISP must:

Be reasonably consistent with industry standards;

Detail the administrative, technical, and physical safeguards that you have in place to ensure the security and confidentiality of your clients’ (and employees’) personal information; and

Be consistent with safeguards for protection of personal information set forth in any state or federal regulations.

Administrative safeguards include:Educating and training yourself and your employees on computer/ personal information security.Using secure access control measures that restrict access to records and files containing personal information.Encrypting records and files containing personal information that’s transmitted by internet or stored on computers, laptops, or portable devices. Reasonable monitoring of systems for unauthorized use of or access to personal information. Maintaining up-to-date system security agent software, firewall protection and operating system security patches.

Technical safeguards include:Designating one or more employees to maintain, monitor, improve, and upgrade your WISP so that it operates in a manner reasonably calculated to prevent and detect unauthorized access to (or unauthorized use) of personal information. Evaluating your WISP at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information. Documenting responsive actions taken in connection with any incident involving a breach of security.

Technical safeguards also include:Regularly evaluating and improving employee training and compliance with your WISP.Imposing disciplinary measures for violations.Preventing terminated employees from accessing records containing personal information. Requiring third-party service providers (IT, bookkeeper, contract paralegals) to sign contracts to implement and maintain such appropriate security measures for personal information.

Physical safeguards include:Developing security policies for storage, access and transportation of records containing personal information outside of business premises. Imposing reasonable restrictions upon physical access to, and storage of, records containing personal information, such as:

Keeping your server in a locked area; Backing up and archiving your data; Storing paper files securely in locked facilities, storage areas, or containers, or off-site.

What to do if you detect data breach

“As soon as practicable and without unreasonable delay” you must notify:The affected persons;The Attorney General;The Director of Consumer Affairs

Business Division;The Information Technology Division;The Division of Public Records.

There’s no penalty for not having a WISP, but G.L.c. 93Hincludes a right for the Attorney General

to pursue an action under G.L.c. 93A, §4 for failure to notify parties entitle to notice of a data breach, and

May provides a basis for civil suit by the person affected.