Ultimately, compliance with the regulations will be judged on a case by case basis, taking into consideration the size of the business, the resources available to the business, the amount of data stored by the business, and the need for privacy and security of the client/customer/employee data. If the Massachusetts Attorney General’s Office believes that an entity did not comply with the security requirements it may seek injunctive relief and/or recover civil fines of up to $5,000.00, and attorneys’ fees and costs. In addition to potential fines and costs any office found in non-compliance will suffer from distress of having to explain to its clients why it was not in compliance with a regulation that was intended to protect its clients’ confidential information. Such a failure would be an embarrassing failure for a law office.
Although the easiest way to comply with the Data Privacy Act is by limiting the amount of personal information gathered or that is kept as either a paper document or that is stored on portable electronic devices to carry protected data. However, this simple solution is probably not feasible for a modern law office. So, here are the first steps that a law firm should take to ensure compliance with the Act.
STEP ONE: CONDUCT AN AUDIT TO IDENTIFY PERSONAL INFORMATION
Compliance with the Act requires that each law office take action to secure protected data, both hard copy and electronic. An effective compliance plan will require that the law firm identify all records in its possession that contain personal information, both electronic and paper, and all portable electronic storage media, including laptops, USB flash drives, portable hard drives, etc., that contain personal information. In addition, the law firm must identify all third-party vendors that either hold or have access to protected data on behalf of the law firm. The process of identifying records which are protected by the regulations will give the law office a much better idea of the scope of work needed for compliance with the regulations. In addition, it will allow the firm to begin the second necessary step for compliance.
STEP TWO: CREATE A WRITTEN INFORMATION SECURITY PROGRAM
The firm must adopt a written policy of privacy and security practices, termed a “written information security program” (“WISP”) for handling protected data. A guide is available to help create a “written information security program” on the Massachusetts Office of Consumer Affairs and Business website, under the tab “For Business” tab and then look for “Identity Theft”. You can also find a compliance checklist to ensure that the WISP is fully compliant with the regulatory requirements. Your WISP will require the firm to set forth the reasonably foreseeable internal and external risks, the likelihood and potential damage from those threats, an evaluation of the sufficiency of existing policies to protect the confidential information, and a determination of how to minimize the risk consistent with the requirements of 201 CMR 17.00. In light of the flexibility provided within the regulations for companies of different sizes and facing different risks, there is no cut and paste WISP that will work for every law firm. Therefore, a law firm should anticipate that this step will be both time consuming, but once it is completed, a strong foundation will exist for future compliance efforts. It is important to note that the WISP will need to be reviewed annually to ensure that the risks have not changed and the security efforts are still effective. In addition, each firm also must realize that the WISP will require an evaluation of third-party service providers that may hold confidential information on behalf of the firm. Examples of third-party service providers would be a payroll company or IT consultant. Review the compliance checklist to ensure that you have included all critical aspects of the WISP.
It is not enough to simply create a WISP; you must now implement the WISP to protect all protected information contained in both hard documents and electronic data pursuant to the WISP. Now the firm will have to implement the appropriate measures to protect the data, and it must then make all employees aware of the written policy and train them on how to comply with the WISP. We will cover strategies for implementing appropriate security measures in the future.