When the Massachusetts Data Privacy laws went into full effect in 2010, we wrote extensively on the topic; tracking back to this root post, you can access all of our blog posts on the subject. Many of the early episodes of our podcast, the Legal Toolkit, were also dedicated to this topic.
Since 2010, we’ve experienced cyber attacks against major retailers such as Home Depot and Target; celebrity iCloud accounts have been hijacked and exploited; and most recently the White House computer network was breached; and that’s just to name a few of the major data breaches. We’ve learned that the NSA can infiltrate and access individual records stored with major cloud providers such as Google and Yahoo. Sophisticated state-sponsored hackers from countries like China threaten high-level security systems. These newsworthy hacks, in addition to state breach notification laws (i.e. Mass Data Privacy laws), help increase our awareness of and commitment to data security. Whether the NSA can access your client’s data (and even if it wanted to, I’m sorry to break the news to you, but the NSA probably doesn’t care about your clients), really isn’t the point here. It’s the small-time malware and web app attacks, phishing schemes, stolen laptops, lost mobile devices, emails mistakenly sent to the wrong party, unrecoverable data due to faulty or non-existent backups, and free wifi use at your remote Starbucks office that constitute many of the security risks for solo and small law firms.
Suffice it to say, in an era of evolving technology and cyber risks abound, attorneys must devote time to understand the current landscape of electronic data security and enact appropriate measures to protect their firms and their clients. This is the first of a series of posts on data security for solo and small firms, here at the MassLOMAP blog. This first post focuses on the current landscape of data security in Massachusetts, laws that govern, and how to comply.
Back in May of 2014, I organized a data security program at the Social Law Library. We were fortunate to have Barbara Anthony, Undersecretary of the Office of Consumer Affairs and Business Regulation (OCABR) provide an overview and update on the Mass Data Privacy laws, as well as other data security experts discuss the realities of compliance with the laws. If you didn’t have the opportunity to attend, here is what you should know:
When we say Mass Data Privacy laws, we mean M.G.L. c. 93H, breach notification and definitions; M.G.L. c. 93I, standards for destruction of personal information; and implementing regulations 201 CMR 17.00, for protection of personal information. There is no one federal law that governs data security, and thus our reliance on Mass specific laws.
Important to understand is that the laws don’t cover all the information held by a business, but, specific personal information relating to its customers and employees (including independent contractors). (See the definition of personal information covered under M.G.L. c. 93H). For law firms, typically, the law implicates employee and independent contractor records, client records and billing, information transmitted over the Internet, and relationships with third-party vendors.
What law firms need to know, at baseline, is that data stored online is never 100% safe (and neither, for that matter, is data stored offline; in fact, I’d argue it is much less safe). If someone wants to hack into your system, they may be able to, and the law is designed to take that into account. As a result, the law tasks every business in Massachusetts (and even those not located in Massachusetts, but have clients or employees here) to develop and keep a Written Information Security Plan (WISP). The WISP provides an evaluation of reasonably foreseeable risks and safeguards appropriate for protection, as well as the steps to remediate in the event of a breach. Your WISP need not be as robust as Partners Healthcare; it can certainly take into account the size and scope of your business, and should work within those limitations. The WISP should also address proper staff training; indeed, breaches can easily result from a lack of training (i.e. an untrained staff member doesn’t redact a social security number). In terms of working with third party vendors, law firms should do due diligence (and document it) by using a checklist (based on 201 CMR 17.00) to determine whether the vendor’s practices comply with the laws. When transmitting data wirelessly or storing data on a laptop or portable device, it must be encrypted. As described by the Undersecretary, encryption is like “taking a piece of paper and tearing it up, the finer the shredder, the higher the numerical encryption and the harder to piece it back together.” (Don’t worry, I’ll have much more in the way of encryption for you later in this series.)
Putting aside the primary concern of a potential data breach, the practical impact on your clients and employees, the Undersecretary described the enforcement mechanism under the statute. M.G.L. c. 93A, Section 4 provides for indicative relief, restitution, investigation, and civil penalties up to $5,000 for each violation. The statute is silent as to whether a private right of action is sanctioned. According to the Undersecretary, as of May 2014, to her knowledge no law firm data breach had been prosecuted by the Attorney General, but that there had been other actions against law firms under the statute. Furthermore, a report by the OCABR in 2013 found that the majority of breaches in Massachusetts, 85% of the total report, come from the financial services industry. But, as the report concluded, that doesn’t negate the need for other businesses to “understand and appreciate that data breaches cut across a wide variety of sectors and that any organization is vulnerable, regardless of size.” Indeed, as one of the program panelists noted, solo and small firms can be easy targets for hackers because they typically don’t have proper security safeguards in place, and even if there are no resulting legal ramifications, a breach of data will impact the firm’s reputation and thus future business. As the OCABR report provides and as echoed by the data security program speakers: “Planning and creating a culture of security may mitigate and perhaps contain the potentially disastrous effects of data breaches altogether.”
As a first step toward properly securing your firm’s data, take this compliance audit developed by the OCABR to determine whether your firm is in compliance with the Mass Data Privacy laws.
Stay tuned for Part II of my Data Security Series on top tips to protect your data and prevent a data breach.
Launch Center Pro: Thanks to LoMac member, Matthew Yospin, for calling this app out at our last meeting. This app gives you quick access to mobile actions like placing phone calls, creating a new calendar event, directions to/from your home or office, and more.
TweetBot: I downloaded this app after interviewing Jeff Richardson of iPhone J.D. on the Legal Toolkit. I love it thus far.
AppAdvice: For reviews, top apps, guides, and more, download this app.