Compliance with the new Massachusetts data privacy laws

Issue April 2010

by Tricia Oliver

Following welcome remarks from MBA President Valerie A. Yarashus, the Opening Plenary Session at AC10 focused on the newly implemented data privacy regulations. Sponsored by Catuogno & Sten-tel Court Reporting, the session offered a wealth of practical advice for attorneys and law firms.

Although there is no "one-size fits all" standard for compliance, panelist David Felper of Bowditch & Dewey shared practical steps attorneys can take to limit the risk of a breach. Felper explained that written procedures and plans are not sufficient and that firms need to have "an ongoing obligation to train employees" on compliance issues.

"There can be significant damages," he warned. Felper also explained that the attorney general's office has taken measures to make sure companies comply with the data privacy laws that went into effect March 1. However, he did say that "we don't expect to see widespread audits."

Co-panelist Scott D. Schafer, chief of the Consumer Protection Division in the Office of Massachusetts Attorney General Martha Coakley, confirmed that. "Currently, the attorney general's office has not authorized any audit program" as part of the enforcement of these new regulations.

Schafer then went on to offer lawyers guiding principles on how to prevent a privacy breach and how to properly report one should it occur. He referred attorneys to as a resource.

"Enforcement of data security is by no means new," said Schafer, whose office led the 44-state investigation of TJX's breach that occurred in 2007.