Creating office policies to protect your client’s personal information

Issue March 2009 By Afton M. Templin

Names. Addresses. Social Security numbers. Dates of birth. As attorneys, we frequently collect our client’s sensitive personal information. But what should we do with that information once we have it in our files?

To protect clients and to comply with new identity theft prevention regulations going into effect beginning Jan. 1, 2010, attorneys need to develop written office policies governing how personal information is collected, stored and used. In addition, the Supreme Judicial Court is weighing comments to Proposed Interim Guidelines which would require attorneys to redact personal identifying data from documents filed in any court across the commonwealth.

Take time to consider how your firm stores, uses and transmits personal information, and then put those practices into writing. This will both move your firm toward compliance with the new regulations and standardize practices within your firm.


In September 2008, the state’s Office of Consumer Affairs and Business Regulation issued 201 C.M.R. 17.00 et seq. The regulations require all persons, including attorneys and law firms, who “own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts” to take steps to protect that information. Through an executive order, Gov. Deval Patrick required executive branch agencies to take those same steps.

Among other requirements, attorneys must “develop, implement, maintain and monitor a comprehensive, written information security program” or WISP. 201 C.M.R. 17.03. The purposes of the WISP are to create internal safeguards for personal information, notify employees of what those safeguards are, monitor the implementation of those safeguards, and impose sanctions for security breaches.

The Office of Consumer Affairs and Business Regulation has produced a guide for attorneys and other small businesses to use in crafting a WISP. It is available on the agency’s Web site, at

Attorneys must also take steps to ensure their firm’s technology is up to par. The regulations require secure authentication protocols and access control measures for electronically stored personal information. All personal information that is stored on portable media, such as laptops or flash drives, or sent over the Internet, must be encrypted. Firewall protection must be reasonably current and security patches and virus software must be reasonably up to date. Attorneys also need to ensure that they have updated their malware protection.

These steps may appear onerous. However, the Office of Consumer Affairs and Business Regulation has collected data since the state’s identity theft law (G.L. c. 93H) went into effect on Oct. 31, 2007, and 75 percent of the reported breaches involved data that was neither encrypted nor password-protected.

Interim proposed guidelines

With increasing frequency, if someone Googles long enough, they can find electronic versions of court filings online. For example, the Supreme Judicial Court is now posting appellate briefs online, within the case’s electronic docket page.

To lessen the likelihood of personal data contained within those filings being available for the taking, last fall the Supreme Judicial Court’s Standing Advisory Committee on the Rules of Civil and Appellate Procedure’s Subcommittee on Personal Identifying Data invited comments on its “Proposed Interim Guidelines for the Protection of Personal Identifying Data in Publicly Accessible Court Documents.” The text of the Proposed Interim Guidelines is available at:

The Interim Proposed Guidelines would require attorneys to include only the last four digits of Social Security numbers, taxpayer identification numbers, financial account numbers, driver’s license numbers or passport numbers. If a date of birth is included, it should only be the year of birth. And any reference to a mother’s maiden name is limited to the first initial of the name.

There are exemptions. The personal identifying data can be included if it is required by “law, court rule, standing order, court-issued form, or order issued in the proceeding.” An attorney can also include the data if she “reasonably believes” that inclusion is necessary to resolve the issue. The Proposed Interim Guidelines carry no sanctions for noncompliance.