Massachusetts is a consumer-friendly state and is extremely friendly to clients of law firms.
Lawyers have serious responsibilities related to protecting the information maintained for your clients. These responsibilities include not just managing the sensitive information in clients’ files, but also the management of your clients’ money in IOLTA accounts.
Like most American jurisdictions, Massachusetts has adopted a technology proficiency requirement and grafted it onto its rules of professional competency (Rule 1.1, Comment 8). That means that, in Massachusetts, a lawyer’s ability to acquire a reasonable understanding of law practice technology has a significant impact on competency.
In the past, some attorneys discounted the usefulness of email. Now discounting email best practices increases your malpractice risk. When coupled with requirements attorneys face for keeping their clients’ data secure, it underscores the importance of the lawyer’s duty to use all means necessary to protect clients’ interests. Investing in better, more intuitive, technology is now critical to attorneys’ ethical duty to clients.
In 2010, Massachusetts adopted one of the strictest data protection regimes in the country. These data protection rules apply to lawyers and law firms and are in addition to any ethical requirements attached to law practice — like the recently revised Rule 1.6, which now references technical data security, too. The Massachusetts laws (Chapter 93H covers data retention, and Chapter 93i covers data disposition) seek to add security protections to specific data sets (social security numbers, financial account numbers, state-issued identification numbers (like license numbers) attached to a first name/late name or first initial/last name) that are vulnerable and attractive to criminals. Thus, business owners in Massachusetts, like many attorney law firm owners, need to take extra precautions when keeping this type of data.
Your law firm must have a WISP (Written Information Security Program). WISP is a document that outlines your firm’s security vulnerabilities, and how you solve them. WISP is a required document under the law. Since the law indicates explicitly that smaller businesses, with fewer resources than larger businesses, should apply solutions commensurate with their ability to pay for those solutions, the WISP should be a document tailored to your business type, and not a boilerplate template. The Massachusetts Office of Consumer Affairs and Business Regulation offers some resources for drafting, and 201 Code of Massachusetts Regulations 17.03 provides useful insight. The WISP should be updated annually, and an employee of the business in question should be appointed to manage the implementation of the solutions articulated.
The bulk of the Massachusetts laws and regulations are concerned with protecting the implicated data sets through electronic means. In an era where cloud software is the default option for most small businesses, password protection is the first line of data defense. The law is also concerned with the adoption of additional security measures, requiring firewalls, the consistent application of suggested security patches and the application of antivirus and system security software that is kept up to date. The existence of the WISP cements the notion that training on the appropriate use of personal and system security is essential.
Most of the discussion around the Massachusetts data security law has been about the encryption requirement which is largely the result of a misunderstanding of encryption. To be encrypted, the information in a file is scrambled unless a password is used to unscramble it. Encryption requirements are basic. Data that is traveling wirelessly or stored on portable electronic devices must be encrypted. If you’ve got sensitive data in an email you’re sending, encrypt the document you’re attaching or encrypt the email itself; Another option is to send the information through an already encrypted medium, like a client portal in your law practice management software. If you have sensitive data on your smartphone, laptop or tablet, you can encrypt each such document, the folders where those documents are saved, or the device itself.
The Massachusetts statutes address data security regardless of how the data is maintained. Paper files containing sensitive information should be covered in the WISP, restricted to persons who require access to them, and stored in locked facilities, storage areas or containers. When you leave the office for the night, lock your office and your file cabinets.
Security regulations don’t just apply to storing information; they also apply to disposing of information. As with the ethics rules, the Massachusetts data protection law also requires that data be disposed of confidentially. Destroyed data must be rendered unreadable or unable to be reconstructed. In other words, you’ll want to use software to delete your hard drive, when you’re getting rid of a device. For paper, you’ll want to crosscut shred it, preferably with a certificate of destruction from a reputable vendor attached. If all that wasn’t enough, the rule adds a protected class of data at disposal — any biometric indicators, which are related to the human body, like fingerprints or a voice recording.
If this all sounds like a lot to manage, that’s probably as good a reason as any to start on your WISP. If you’re looking for an added layer of protection, consider a legal practice management software, like LEAP that ensures these rules are all followed, without any additional work on your part.