Lawyers Journal regularly runs Mind Your Own Business,
a column devoted to answering management questions that come up in day-to-day
practice for solo and small-firm practitioners.
by Afton M. Templin
Law Offices of Afton M. Templin, North Attleboro
www.templinlaw.com
Names. Addresses. Social Security numbers.
Dates of birth. As attorneys, we frequently collect
our client’s sensitive personal information. But what should we do with that
information once we have it in our files?
To protect clients and to comply with new identity theft
prevention regulations going into effect beginning Jan. 1, 2010, attorneys need
to develop written office policies governing how personal information is
collected, stored and used. In addition, the Supreme Judicial Court is weighing
comments to Proposed Interim Guidelines which would
require attorneys to redact personal identifying data from documents filed in
any court across the commonwealth.
Take time to consider how your firm stores, uses and
transmits personal information, and then put those practices into writing. This
will both move your firm toward compliance with the new regulations and standardize
practices within your firm.
WISPs
In September 2008, the state’s Office of Consumer Affairs and
Business Regulation issued 201 C.M.R. 17.00 et
seq. The regulations require all persons, including attorneys and
law firms, who “own, license, store or maintain personal information about a
resident of the Commonwealth of Massachusetts” to take steps to protect that
information. Through an executive order, Gov. Deval Patrick required executive
branch agencies to take those same steps.
Among other requirements, attorneys must “develop, implement,
maintain and monitor a comprehensive, written information security program” or
WISP. 201 C.M.R. 17.03. The purposes of the WISP are
to create internal safeguards for personal information, notify employees of what
those safeguards are, monitor the implementation of those safeguards, and
impose sanctions for security breaches.
The Office of Consumer Affairs and Business Regulation has
produced a guide for attorneys and other small businesses to use in crafting a
WISP. It is available on the agency’s Web site, at
www.mass.gov/Eoca/docs/idtheft/sec_plan_smallbiz_guide.pdf.
Attorneys must also take steps to ensure their firm’s
technology is up to par. The regulations require secure authentication
protocols and access control measures for electronically stored personal
information. All personal information that is stored on portable media, such as
laptops or flash drives, or sent over the Internet, must be encrypted. Firewall
protection must be reasonably current and security patches and virus software
must be reasonably up to date. Attorneys also need to ensure that they have
updated their malware protection.
These steps may appear onerous. However, the Office of
Consumer Affairs and Business Regulation has collected data since the state’s
identity theft law (G.L. c. 93H) went into effect on Oct. 31, 2007, and 75
percent of the reported breaches involved data that was neither encrypted nor
password-protected.
Interim proposed guidelines
With increasing frequency, if someone Googles long enough,
they can find electronic versions of court filings online. For example, the
Supreme Judicial Court is now posting appellate briefs online, within the
case’s electronic docket page.
To lessen the likelihood of personal data contained within
those filings being available for the taking, last fall the Supreme Judicial
Court’s Standing Advisory Committee on the Rules of Civil and Appellate
Procedure’s Subcommittee on Personal Identifying Data invited comments on its
“Proposed Interim Guidelines for the Protection of Personal Identifying Data in
Publicly Accessible Court Documents.” The text of the Proposed Interim
Guidelines is available at:
www.mass.gov/courts/sjc/docs/Rules/Interim_Guidelines_Protect_Personal_Data.pdf.
The Interim Proposed Guidelines would require attorneys to
include only the last four digits of Social Security numbers, taxpayer
identification numbers, financial account numbers, driver’s license numbers or
passport numbers. If a date of birth is included, it should only be the year of
birth. And any reference to a mother’s maiden name is limited to the first
initial of the name.
There are exemptions. The personal identifying data can be
included if it is required by “law, court rule, standing order, court-issued
form, or order issued in the proceeding.” An attorney can also include the data
if she “reasonably believes” that inclusion is necessary to resolve the issue.
The Proposed Interim Guidelines carry no sanctions for noncompliance.
Conclusion
Attorneys may collect personal information as a matter of
habit and practicality. We may have unwritten practices as to how that
information is stored and used. But the growing threat of security breaches and
the impending compliance deadline for the new regulations make now as good a
time as any to translate practice into policy.
Templin’s solo practice focuses on criminal, family law and
civil appeals, and research and writing services for attorneys. She is a member
of the MBA’s Law Practice Management Section Council, the MLGBA and the WBA.