Data privacy part II: Lock it Down

Issue March 2010 By Rodney S. Dowell

In the last issue, we discussed the basic statutory requirements of M.G.L. c. 93H and 201 CMR 17.00 in seeking to protect confidential consumer information. As was discussed, the statute and regulations are intended to protect the personal information of Massachusetts residents when used by any business (in any jurisdiction), including law offices.

Personal information includes a Massachusetts resident's first and last name in combination with any one or more of the following: (1) a Social Security number, (2) a driver's license number or state-issued identification card number, and (3) a credit or debit card or other financial account number, regardless of whether a PIN or security code is included.

As discussed last month, you will need to do an audit to determine what personal information you keep, and you must develop your "written information security program" ("WISP") for handling protected data identified in the audit. There is a growing list of third-party vendors and law firms able to help with the first two requirements.

It is not enough to simply create a WISP; you must now implement the WISP to protect all protected information contained in both hard documents and electronic data pursuant to the WISP. Once you have implemented the appropriate measures to protect the data, you must then make all employees aware of the written policy and train them on how to comply with the WISP. Again, there are a number of third-party vendors that can help develop and implement the training. But, the question we seek to help answer here, at least in part, is what tools will you be using for which you will need the training?

First, let me deal with what I consider the easy part. What do you need to do to protect paper documents that contain protected personal information? The simple answer is: store records containing personal information in locked facilities. This may be a locked filing cabinet, a locked storage room or even your locked office. However, consider if a third-party vendor, such as a cleaning company, has free access to your locked office, and therefore, free access to the protected records. Best practices, even for simply protecting your client files, would be that you keep information in a locked filing cabinet, safe from water damage, and at least somewhat protected from fire or other disasters.

The hard question we will address here. How should you protect personal information contained in electronic records? We will start with the easiest areas that need to be protected. Your computer system:

Start your compliance effort by securing your computer system from outsiders. The first step is to implement secure authentication protocols for your computer system. This means:

a. Control user IDs;

b. Use secure passwords (i.e., each password is unique and is strong) and/or other identifier technologies;

c. Control access to passwords and keep them away from the data intended to be protected (i.e., don't put your password in a Word document on the computer).

d. Restrict access to electronic data containing personal information to active users who need to know.

e. Set the computer to block access after multiple unsuccessful attempts to gain access.

The ability to comply with each of the requirements above are built into computer operating systems and can be easily implemented by any IT professional, and, for single computers, implemented by the user. If you need help, go to the Windows or Mac support centers and you will be able to find instructions with fairly simple searches.

How to achieve compliance with the electronic data requirements

I believe that the issue of how to comply with the protection of electronic data is perceived widely as the most challenging aspect of the new regulations. If you are storing protected data on portable electronic media, then you must determine how you are going to encrypt the information using a system that has 1) usability, 2) is affordable and 3) does not require a large time commitment. Of course, the simplest, most affordable means of complying is to simply NOT put protected information on a portable hardware device. Ask yourself, Why is the information on a portable hardware device? An obvious reply to this question is that I told you to create a full backup of your computer system and keep the backup off-site. However, many attorneys will not have to have protected data in an electronic format, and for those who do, they may choose a less-effective disaster recovery plan consisting of storing the backup media in a fireproof safe at the office.

Do you need real time access to this data outside of the office? Are you going to access the information in a private location?

a. Encrypt all personal information stored on portable electronic devices, such as laptops, USB flash drives or portable hard drives.

b. Encrypt all personal information that is transmitted wirelessly (i.e., across a wireless Internet network) or that is sent by e-mail. This subject will be covered in Part III.

1. Encryption of personal information on portable electronic devices:

Assuming you really need the data on a portable device, you can use either hardware or software solutions to encrypt the data. As I pointed out in my blog post Mass. LOMAP Law Practice Advisor, one hardware solution is to buy and use secure encrypted hard drives such as Iomega's eGo Encrypt Portable Hard Drive, Lenovo ThinkPad USB Portable Secure Hard Drive, McAfee Encrypted USB Drives or the BUSlink RFID Key Encrypted External Hard Drive. The hard drives use various means of locking and unlocking the data, but all data on the devices is encrypted. If you need less storage capacity for your portable electronic storage devices, you can use encrypted USB flash drives. However, the crème de la crème in this category are the flash drives produced by IronKey, which are described as "self-defending mobile storage" which "employs 'always-on' encryption." This device uses hardware encryption which claims it cannot be disabled, subject to a cold-boot or a brute force attack. (Wikipedia has excellent definitions of the terms used to define the security enhancements.) This USB flash drive will even, after a predetermined number of failed attempts to open the device, erase all of the data. You can also purchase the ability to remotely wipe data from a device in the hands of a person with the key.

Kingston produces a number of encrypted flash drives, including the Data Traveler Vault-Privacy Edition, which encrypts and enforces a complex password for entry. Other manufacturers of encrypted USB flash drives include: SanDisk, CMS Products and Edge Tech Corp. I do not intend this list as an endorsement of any of these companies or products; it is merely intended as a gateway for your search to comply with the new regulations.

There are also a large number of software encryption programs. One of the leaders in the industry is PGP Corp. PGP provides multiple products, but its PGP Desktop Professional provides full-disk encryption, e-mail encryption, IM encryption (for some products), zip archives and a secure "file shred" feature. It appears to be a good full-featured product for most solo attorneys. It also has an affordable Desktop Home version which handles e-mail encryption, volume disk encryption and AOL IM encryption, along with zip archives and secure file shredding.

Other companies selling encryption software include Encryptx Corp., BitArmor, Symantec, McAfee and CyrptoForge. There are many free versions of open source encryption software to create encrypted virtual drives, entire hard drives or individual documents. The most well-known is TrueCrypt, which works with Windows 7/Vista/XP, Mac OS X and Linux. Other free programs include FreeOTFE, FREE CompuSec, Cypherix LE Free and LockNote. These free programs use various encryption programs, give varying degrees of control of how much you can encrypt, and offer little or no support. Again, the programs listed here are neither endorsed by me nor are they an exhaustive list of available programs.

You can watch Mark Kupsc, principal owner of Hytech Management, demonstrate how to use TrueCrypt to encrypt your company's protected data, at In addition, you can access Kupsc's detailed and easy-to-follow white paper on creating an encrypted folder on your hard drive and how to e-mail encrypted Word 2003 documents at Kupsc made this presentation at the MBA Legal Technology Expo on March 19, 2009.

Also, you should look at your computer operating system to determine what protection is built in. Windows has taken the approach that the more you pay, the more built-in encryption you get. For example, when you purchase the OS Windows 7 Ultimate and Enterprise, you get the built-in encryption BitLocker. You do not get this feature with OS Windows 7 Home or Professional. So look before you buy.

Words of caution are necessary when working with encryption programs. It is great to protect the confidentiality of the information, but it is all useless if you cannot get at the information. If you have never used encryption software before, proceed slowly. Read the fine print, read the instructions and back up the data before you encrypt. Now make sure you know what your keys and passwords are before you encrypt your entire hard drive. Once you have encrypted the data, test the data to ensure that it is encrypted and that you can access the data. Now, delete the unencrypted protected data on all portable electronic devices.

Part III will introduce tools for electronic data moving over the Internet or wireless networks.