Keeping Client (and employee) Data Safe What attorneys must do to comply with the Massachusetts Data Breach Notification Law
<ul><li>The Massachusetts Data Breach Notification Law </li></ul>
G.L.c. 93H and 210 C.M.R. 17.00 <ul><li>establish minimum standards for safeguarding personal information contained in pap...
G.L.c. 93H requires that: <ul><li>every person who  owns ,  licenses ,  stores or maintains  personal information about a ...
Does G.L.c. 93H apply to lawyers? <ul><li>Yes.  Anyone  who keeps “personal information” must have WISP protocols in place...
“ Personal information” means: <ul><li>A Massachusetts resident's first name or initial and last name  in combination with...
“ Personal information” does not include public record information  Information lawfully obtained from generally available...
Your  WISP  must: <ul><li>Be reasonably consistent with industry standards; </li></ul><ul><li>Detail the  administrative ,...
 
Administrative safeguards include: <ul><li>Educating and training yourself and your employees on computer/ personal inform...
 
Technical safeguards include: <ul><li>Designating one or more employees to maintain, monitor, improve, and upgrade your WI...
Technical safeguards also include: <ul><li>Regularly evaluating and improving employee training and compliance with your W...
 
Physical safeguards include: <ul><li>Developing security policies for storage, access and transportation of records contai...
<ul><li>What to do if you detect data breach </li></ul>
“ As soon as practicable and without unreasonable delay” you must notify: <ul><li>The affected persons; </li></ul><ul><li>...
 
There’s no penalty for not having a WISP, but G.L.c. 93H <ul><li>includes a right for the Attorney General to pursue an ac...
Upcoming SlideShare
Loading in …5
×

Keeping Client Data Safe (Final)

602 views
522 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
602
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Keeping Client Data Safe (Final)

  1. 1. Keeping Client (and employee) Data Safe What attorneys must do to comply with the Massachusetts Data Breach Notification Law
  2. 2. <ul><li>The Massachusetts Data Breach Notification Law </li></ul>
  3. 3. G.L.c. 93H and 210 C.M.R. 17.00 <ul><li>establish minimum standards for safeguarding personal information contained in paper and electronic records </li></ul><ul><li>insure security and confidentiality of customer information in a manner fully consistent with industry standards. </li></ul>
  4. 4. G.L.c. 93H requires that: <ul><li>every person who owns , licenses , stores or maintains personal information about a resident of the Commonwealth shall develop , implement , maintain , and monitor a comprehensive written information security program (“WISP”) for any records containing such personal information.  </li></ul>
  5. 5. Does G.L.c. 93H apply to lawyers? <ul><li>Yes. Anyone who keeps “personal information” must have WISP protocols in place no later than March 1, 2010 to: </li></ul><ul><li>protect against unauthorized access to (or use of) such information in a way that may result in substantial harm or inconvenience to any consumer, and </li></ul><ul><li>protect against anticipated threats or hazards to the security or integrity of such information. </li></ul>
  6. 6. “ Personal information” means: <ul><li>A Massachusetts resident's first name or initial and last name in combination with :  </li></ul><ul><li>a social security number, or </li></ul><ul><li>a driver's license number, or </li></ul><ul><li>a state-issued identification card number, or </li></ul><ul><li>a financial account number, credit or debit card number, access code, personal identification number, or </li></ul><ul><li>a password that would permit access to a resident’s financial account. </li></ul>
  7. 7. “ Personal information” does not include public record information Information lawfully obtained from generally available public records is not considered “personal information” under G.L.c. 93H. (For example, title information, assessors records, or published telephone and address information (in print or on the internet)).
  8. 8. Your WISP must: <ul><li>Be reasonably consistent with industry standards; </li></ul><ul><li>Detail the administrative , technical , and physical safeguards that you have in place to ensure the security and confidentiality of your clients’ (and employees’) personal information; and </li></ul><ul><li>Be consistent with safeguards for protection of personal information set forth in any state or federal regulations. </li></ul>
  9. 10. Administrative safeguards include: <ul><li>Educating and training yourself and your employees on computer/ personal information security. </li></ul><ul><li>Using secure access control measures that restrict access to records and files containing personal information. </li></ul><ul><li>Encrypting records and files containing personal information that’s transmitted by internet or stored on computers, laptops, or portable devices. </li></ul><ul><li>Reasonable monitoring of systems for unauthorized use of or access to personal information. </li></ul><ul><li>Maintaining up-to-date system security agent software, firewall protection and operating system security patches. </li></ul>
  10. 12. Technical safeguards include: <ul><li>Designating one or more employees to maintain, monitor, improve, and upgrade your WISP so that it operates in a manner reasonably calculated to prevent and detect unauthorized access to (or unauthorized use) of personal information. </li></ul><ul><li>Evaluating your WISP at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information. </li></ul><ul><li>Documenting responsive actions taken in connection with any incident involving a breach of security. </li></ul>
  11. 13. Technical safeguards also include: <ul><li>Regularly evaluating and improving employee training and compliance with your WISP. </li></ul><ul><li>Imposing disciplinary measures for violations. </li></ul><ul><li>Preventing terminated employees from accessing records containing personal information. </li></ul><ul><li>Requiring third-party service providers (IT, bookkeeper, contract paralegals) to sign contracts to implement and maintain such appropriate security measures for personal information. </li></ul>
  12. 15. Physical safeguards include: <ul><li>Developing security policies for storage, access and transportation of records containing personal information outside of business premises. </li></ul><ul><li>Imposing reasonable restrictions upon physical access to, and storage of, records containing personal information, such as: </li></ul><ul><ul><ul><li>Keeping your server in a locked area; </li></ul></ul></ul><ul><ul><ul><li>Backing up and archiving your data; </li></ul></ul></ul><ul><ul><ul><li>Storing paper files securely in locked facilities, storage areas, or containers, or off-site. </li></ul></ul></ul>
  13. 16. <ul><li>What to do if you detect data breach </li></ul>
  14. 17. “ As soon as practicable and without unreasonable delay” you must notify: <ul><li>The affected persons; </li></ul><ul><li>The Attorney General; </li></ul><ul><li>The Director of Consumer Affairs Business Division; </li></ul><ul><li>The Information Technology Division; </li></ul><ul><li>The Division of Public Records. </li></ul>
  15. 19. There’s no penalty for not having a WISP, but G.L.c. 93H <ul><li>includes a right for the Attorney General to pursue an action under G.L.c. 93A, §4 for failure to notify parties entitle to notice of a data breach , and </li></ul><ul><li>May provides a basis for civil suit by the person affected. </li></ul>

×