In the last issue, we discussed the basic statutory requirements
of M.G.L. c. 93H and 201 CMR 17.00 in seeking to protect
confidential consumer information. As was discussed, the statute
and regulations are intended to protect the personal information of
Massachusetts residents when used by any business (in any
jurisdiction), including law offices.
Personal information includes a Massachusetts resident's first
and last name in combination with any one or more of the following:
(1) a Social Security number, (2) a driver's license number or
state-issued identification card number, and (3) a credit or debit
card or other financial account number, regardless of whether a PIN
or security code is included.
As discussed last month, you will need to do an audit to
determine what personal information you keep, and you must develop
your "written information security program" ("WISP") for handling
protected data identified in the audit. There is a growing list of
third-party vendors and law firms able to help with the first two
requirements.
It is not enough to simply create a WISP; you must now implement
the WISP to protect all protected information contained in both
hard documents and electronic data pursuant to the WISP. Once you
have implemented the appropriate measures to protect the data, you
must then make all employees aware of the written policy and train
them on how to comply with the WISP. Again, there are a number of
third-party vendors that can help develop and implement the
training. But, the question we seek to help answer here, at least
in part, is what tools will you be using for which you will need
the training?
First, let me deal with what I consider the easy part. What do
you need to do to protect paper documents that contain protected
personal information? The simple answer is: store records
containing personal information in locked facilities. This may be a
locked filing cabinet, a locked storage room or even your locked
office. However, consider if a third-party vendor, such as a
cleaning company, has free access to your locked office, and
therefore, free access to the protected records. Best practices,
even for simply protecting your client files, would be that you
keep information in a locked filing cabinet, safe from water
damage, and at least somewhat protected from fire or other
disasters.
The hard question we will address here. How should you protect
personal information contained in electronic records? We will start
with the easiest areas that need to be protected. Your computer
system:
Start your compliance effort by securing your computer system
from outsiders. The first step is to implement secure
authentication protocols for your computer system. This means:
a. Control user IDs;
b. Use secure passwords (i.e., each password is unique and is
strong) and/or other identifier technologies;
c. Control access to passwords and keep them away from the data
intended to be protected (i.e., don't put your password in a Word
document on the computer).
d. Restrict access to electronic data containing personal
information to active users who need to know.
e. Set the computer to block access after multiple unsuccessful
attempts to gain access.
The ability to comply with each of the requirements above are
built into computer operating systems and can be easily implemented
by any IT professional, and, for single computers, implemented by
the user. If you need help, go to the Windows or Mac support
centers and you will be able to find instructions with fairly
simple searches.
How to achieve compliance with the electronic data
requirements
I believe that the issue of how to comply with the protection of
electronic data is perceived widely as the most challenging aspect
of the new regulations. If you are storing protected data on
portable electronic media, then you must determine how you are
going to encrypt the information using a system that has 1)
usability, 2) is affordable and 3) does not require a large time
commitment. Of course, the simplest, most affordable means of
complying is to simply NOT put protected information on a portable
hardware device. Ask yourself, Why is the information on a portable
hardware device? An obvious reply to this question is that I told
you to create a full backup of your computer system and keep the
backup off-site. However, many attorneys will not have to have
protected data in an electronic format, and for those who do, they
may choose a less-effective disaster recovery plan consisting of
storing the backup media in a fireproof safe at the office.
Do you need real time access to this data outside of the office?
Are you going to access the information in a private location?
a. Encrypt all personal information stored on portable
electronic devices, such as laptops, USB flash drives or portable
hard drives.
b. Encrypt all personal information that is transmitted
wirelessly (i.e., across a wireless Internet network) or that is
sent by e-mail. This subject will be covered in Part III.
1. Encryption of personal information on portable electronic
devices:
Assuming you really need the data on a portable device, you can
use either hardware or software solutions to encrypt the data. As I
pointed out in my blog post Mass. LOMAP Law Practice Advisor, one
hardware solution is to buy and use secure encrypted hard drives
such as Iomega's eGo Encrypt Portable Hard Drive, Lenovo ThinkPad
USB Portable Secure Hard Drive, McAfee Encrypted USB Drives or the
BUSlink RFID Key Encrypted External Hard Drive. The hard drives use
various means of locking and unlocking the data, but all data on
the devices is encrypted. If you need less storage capacity for
your portable electronic storage devices, you can use encrypted USB
flash drives. However, the crème de la crème in this category are
the flash drives produced by IronKey, which are described as
"self-defending mobile storage" which "employs 'always-on'
encryption." This device uses hardware encryption which claims it
cannot be disabled, subject to a cold-boot or a brute force attack.
(Wikipedia has excellent definitions of the terms used to define
the security enhancements.) This USB flash drive will even, after a
predetermined number of failed attempts to open the device, erase
all of the data. You can also purchase the ability to remotely wipe
data from a device in the hands of a person with the key.
Kingston produces a number of encrypted flash drives, including
the Data Traveler Vault-Privacy Edition, which encrypts and
enforces a complex password for entry. Other manufacturers of
encrypted USB flash drives include: SanDisk, CMS Products and Edge
Tech Corp. I do not intend this list as an endorsement of any of
these companies or products; it is merely intended as a gateway for
your search to comply with the new regulations.
There are also a large number of software encryption programs.
One of the leaders in the industry is PGP Corp. PGP provides
multiple products, but its PGP Desktop Professional provides
full-disk encryption, e-mail encryption, IM encryption (for some
products), zip archives and a secure "file shred" feature. It
appears to be a good full-featured product for most solo attorneys.
It also has an affordable Desktop Home version which handles e-mail
encryption, volume disk encryption and AOL IM encryption, along
with zip archives and secure file shredding.
Other companies selling encryption software include Encryptx
Corp., BitArmor, Symantec, McAfee and CyrptoForge. There are many
free versions of open source encryption software to create
encrypted virtual drives, entire hard drives or individual
documents. The most well-known is TrueCrypt, which works with
Windows 7/Vista/XP, Mac OS X and Linux. Other free programs include
FreeOTFE, FREE CompuSec, Cypherix LE Free and LockNote. These free
programs use various encryption programs, give varying degrees of
control of how much you can encrypt, and offer little or no
support. Again, the programs listed here are neither endorsed by me
nor are they an exhaustive list of available programs.
You can watch Mark Kupsc, principal owner of Hytech Management,
demonstrate how to use TrueCrypt to encrypt your company's
protected data, at www.catuogno.cc/legal-technology-expo-videos/.
In addition, you can access Kupsc's detailed and easy-to-follow
white paper on creating an encrypted folder on your hard drive and
how to e-mail encrypted Word 2003 documents at
http://drop.io/mbalegaltech. Kupsc made this presentation at the
MBA Legal Technology Expo on March 19, 2009.
Also, you should look at your computer operating system to
determine what protection is built in. Windows has taken the
approach that the more you pay, the more built-in encryption you
get. For example, when you purchase the OS Windows 7 Ultimate and
Enterprise, you get the built-in encryption BitLocker. You do not
get this feature with OS Windows 7 Home or Professional. So look
before you buy.
Words of caution are necessary when working with encryption
programs. It is great to protect the confidentiality of the
information, but it is all useless if you cannot get at the
information. If you have never used encryption software before,
proceed slowly. Read the fine print, read the instructions and back
up the data before you encrypt. Now make sure you know what your
keys and passwords are before you encrypt your entire hard drive.
Once you have encrypted the data, test the data to ensure that it
is encrypted and that you can access the data. Now, delete the
unencrypted protected data on all portable electronic devices.
Part III will introduce tools for electronic data moving over
the Internet or wireless networks.