TurboLaw Software

Easy-to-Use Software for Legal Professionals

(800) 518-8726

info@turbolaw.com

New Massachusetts Data Security/Privacy Regulations and Small & Mid-Size Law Firms

March 22, 2010

What the New Massachusetts Data Security Regulations Really Mean for Small and Mid-Size Law Firms

You may have heard of the new regulations released by the Massachusetts Office of Consumer Affairs and Business Regulation – specifically, 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth (PDF link).

These regulations apply to anyone who owns or licenses certain information (so-called “personal” information) about a Massachusetts resident, but for the purposes of this discussion, we’re going to limit ourselves to how these regulations apply to law firms.

Many law firms, and especially smaller firms, don’t have an in-house IT person or technical staff, which leaves the attorney or office manager to grapple with the issues raised by these regulations – issues which in many cases go well beyond their areas of expertise. The goal of this article is to help people understand how these regulations apply to them in plain English.

Note: While we hope you find this article helpful, this isn’t meant to be a definitive guide as to what you should do to make sure your firm complies with these new regulations. This is just general advice and tips.

First, some definitions – the regulations themselves contain a far more extensive “definitions” section (see section 17.02 of the actual regulations) – so we’ll just cover the basics here.

What exactly is “personal” information? The regulations define what constitutes “personal” information – specifically, information that is personal is: A person’s first & last name (or first initial & last name) in combination with any one (or more) of the following:

• Social Security number
• Driver’s License Number (or other state-issued ID number)
• Financial account number(s) (checking/savings account number, etc.)
• Credit card number(s)

What exactly am I required to do? In general, you have to take steps which are appropriate to the size, scope, and nature of your business to protect “personal” information from unauthorized use. More or less, this means coming up with a (written) plan to make sure that the personal information you have is kept safe, keeping that plan up-to-date and making sure everyone in your firm is educated about the plan.

Section 17.04 of the regulations spells out what you have to do as far as computer security is concerned. This section is broken down into a number of topics relevant to computer security.

Secure User Authentication: This is a very technical way of saying “user names and passwords.” We’ve posted a link to an article from Microsoft on choosing strong, secure passwords before, but in general, the longer your password is, the more secure it will be. For most people, the password you need to worry about the most is the password you use to log on to your computer (that is, log on to Windows). Fortunately, Windows allows you to use very long passwords – you can even use spaces and upper & lower case letters – so you can pick very long, but easy (for you) to remember passwords. You can use entire sentences, complete with punctuation, if you want.

For example, the password (or “pass-phrase” as it’s sometimes called when it’s this long) “I grew up on my uncle’s farm in Sudbury, Massachusetts” is very long (54 characters) – which makes it very strong. (A 54 character password, using just the letters, numbers, and punctuation marks on your keyboard, has something on the order of  2.564 x 10⁹¹ possible permutations!) The benefit of a long pass-phrase like this is that its length gives it strength (it’s hard for someone else to “guess”), but the fact that it’s a plain English sentence makes it easy for you (the user) to remember. After all, a good password does you no good if you can’t remember it!

Another useful tip is that most computer systems have a limit on the number of times you can try to log on while getting the password wrong (3 or 5 are the usual number of tries you’re allowed). After you’ve tried to log on a few times, but gotten it wrong, you might be locked out – or you might have to wait a period of time before you can try again. This helps prevent people from just guessing passwords as fast as they can (usually automatically using another computer).

However, the built-in “Administrator” account in Microsoft Windows (and in other operating systems too, like Mac OS X and Linux) usually has no limit on the number of times the password can be guessed (after all, you need at least 1 account that you can’t be locked out of, so that you can log on and unlock the people who guessed wrong). It is very important to set a very strong password for the “Administrator” account. If your “Administrator” account doesn’t have a good password, then all of your other good passwords are useless, since by definition the “Administrator” account has access to everything on your computer.

Secure Access Control Measures: In general, this means that people only have access to the files & data that they actually need to get their job done. Your bookkeeper, for example, doesn’t need access to your client’s financial statements – that’s not part of his or her job. Likewise, your receptionist doesn’t need access to your firm’s financial records (unless your receptionist is also your bookkeeper of course!).

All versions of Windows since Windows 2000 provide easy ways for you to set “permissions” on files, so that you can give access to files to some users, but not to others. However, these “permissions” depend on the user who is logged onto the computer – so if you have two or more people “sharing” a computer, make sure that you have a separate user name for each of them. Otherwise, from the computer’s point of view, they are all the same person and have access to the same files.

Secure access control also means disabling or deleting user accounts for people once they no longer work for you anymore – this is something that many people forget to do, and the result is that the ex-employee now has a “back door” into your files. Even if he never intentionally uses it, the account is still around, and he may re-use his password somewhere else, and it may get stolen, and now whoever stole the password has access to your files!

Encryption of personal information sent over public networks (e.g., the Internet): For most people, this refers to email – but it can also refer to websites where you upload files or enter and save information.

Encryption is a complicated topic in itself – but you can think of it as “locking” something in a box or safe, so that no one else can open it up. In respect to email, encryption means that you lock the email before sending it, and the recipient also has to have his own copy of the “key” so that when he receives it, he can unlock the email.

The difficulty here is of course that the recipient must already have the key to unlock the email in the first place. It’s sort of a catch-22 situation – no matter what you do, you need the recipient to somehow already have the “key” before you can send encrypted email. There is no easy answer to this – other than not to send “personal” information via email in the first place. There are many different third party services which offer ways to send encrypted email – but all of them involve making the person to whom you’re sending the email have to do something “extra” to get your message. Whether this involves signing up for an account with the third party service or something else entirely, he will have to do something. (This is one of the main reasons that encrypted email – although it’s been possible for years and years – has never caught on.)

As far as email is concerned, it’s worth remembering that you only need to encrypt emails that contain “personal” information – and remember that “personal” information isn’t just someone’s name, it has to be a name and some form of ID number (SSN/License/credit card/etc.). So if you never send that sort of stuff by email, you’ll never have to encrypt your email.

If you only need to send personal information by email once in a while, you might be able to get by with one of the third party solutions for encrypted email – assuming that you let the recipient know in advance that he’s going to have to do something extra to get your file. Alternatively, you might turn to a secure website for transferring files – we’ve talked about this before here in our article on “Solving the problem of sending sensitive files by email.”

If you upload files that contain personal information to any website (or if you enter and save personal information into a website), chances are that the website already has encryption – just look for the little “lock” icon that appears in your browser when you visit that site. If the “lock” icon is there, then the connection is encrypted.

If you use a third party website which saves personal information, you also have to check with the provider of that website to make sure that the information you’re saving there is also adequately protected – basically, the people who run the website have to comply with the Massachusetts regulations just as you do.

Reasonable Monitoring: In general, this means exactly what it sounds like – take reasonable steps to monitor your computers and make sure that no unauthorized use has taken place. In other words, it means “be aware of your stuff.” Of course, what constitutes “reasonable” will depend greatly on the size and resources of your firm, but in general you’d want to have some sort of record or log of (for example) when someone tries unsuccessfully to log on several times (this might mean that someone’s trying to guess your password and log on).

Encryption of Personal Information on Laptops and other Portable Devices: This part of the regulations is required because laptops and other “portable” computers (netbooks, iPhones, Blackberries, etc.) are naturally more susceptible to being stolen, due to the fact that they are portable – you might forget your laptop somewhere, or it might be stolen, and so on. Because of this, you need to take extra precautions with the information on portable computers.

For example, if someone steals your laptop, even though you have a very good, strong password that prevents him from just logging on and reading your files, he can still just take your laptop’s hard drive out of the laptop and plug it into a different computer and read the files off of it. (The same thing goes for desktop computers as well, but since they are safe behind the locked doors of your office, it is less of a worry.)

To prevent someone from just reading the files off of your laptop’s hard drive, you need to “encrypt” the files – basically, locking them with a “key” which only you know. Fortunately, this is not very hard to do, although there are many different ways to go about doing it. We’ve talked about encrypting your client files here before, in our article on “Keeping your Client’s Data Safe.” If you use Windows, and you have a good, strong password, you can use the encryption that is built right into Windows itself (see our article for links on how to go about doing this).

The only files you absolutely have to encrypt (as far as these regulations are concerned) are the files that contain “personal” information. However, if you have lots of files in many different programs all over your computer, you may want to encrypt the entire hard drive (using “whole-disk” encryption). The top-end editions of recent Windows versions (e.g., Windows 7) have whole-disk encryption tools built-in, or you can use a third party solution.

As far as portable devices (iPhones, Blackberries, etc.) go, there may be encryption software available, or you may be able to use a PIN/password feature of the phone itself to “lock” the phone completely so that if it’s stolen, no one can use it (without erasing the phone’s memory, which of course also erases any personal information, thus keeping it safe from unauthorized use).

Up-to-date firewalls, anti-virus, anti-malware: This section of the regulations is just formalizing what you should already have – to use a computer that’s connected to the Internet these days without some sort of firewall or anti-virus is just asking for trouble. Fortunately, all of these options are very easy to take care of.

If you have an Internet connection to your office, chances are you have some sort of “router” into which you plug your computers and which then is connected to your actual Internet connection (DSL/Cable modem, etc.). Your DSL or Cable modem may even be a router itself – this depends on your Internet provider and the manufacturer of your DSL/Cable modem. Most modern routers also act as a firewall as well, keeping the computers in your office “invisible” from the outside Internet. Some even offer more advanced filtering options – you should check the manual that came with your router to be sure.

In addition to your router, chances are your computer itself has a “software” firewall built in – all versions of Windows (since Windows XP Service Pack 2) have a firewall built in. As long as you haven’t turned it off, it should be silently doing its job, keeping outsiders from connecting to your computer.

Anti-virus and anti-malware programs are likewise easy to come by, although you need to take care with selecting a reputable vendor, as some spyware/malware disguises itself as anti-spyware or anti-malware programs – so you think you’ve installed a program to protect you, when in fact it is not doing anything but infecting your computer!

There are many well-known names as far as anti-virus programs go – and most of them are available as a “suite” of products, that includes a firewall, anti-virus, and anti-malware. Some you must pay for (and these usually include extra options, for example the ability to administer remotely the settings for all the computers in your office), while others are free. Although we tend not to recommend any one product over another, Microsoft does have an anti-virus and anti-spyware program called Microsoft Security Essentials which is both free and very effective. There are of course other products, which you can easily find both online and at your local software/office supply store.

Education and Training: The final aspect of these regulations involves both education and training. Basically, all the security in the world won’t do any good if the people using the systems aren’t educated about how it works and what they need to do to keep it working. Keep yourself and your staff informed on what proper procedures are for handling personal information in your firm so that no mistakes are made. (For example, you might prohibit your staff from copying files with personal information onto USB flash drives to take home and work on – since their home computers and the USB flash drive itself are not subject to your control and might not be secure.)

In many security breaches, the problem is often not a technical one, but instead a case of “human error.” So keep your staff informed on how personal information must be treated and you will help greatly reduce the chances of unauthorized use of personal information.

Final Thoughts: Although the new Massachusetts data security regulations may appear to be somewhat complex or demanding at first glance, many of the things mandated by these regulations are actually things you are already doing (or should be doing). Although you do have to do some extra work to keep on top of your security policy (such as writing it down and keeping it up-to-date), most of the other things you are required to do are relatively easy to accomplish.

Remember, this guide is just a guide – although it is very easy to learn how to secure your computer systems using the information found here and elsewhere; if you’re not confident that you can do it, please seek the advice or help of a competent computer technician or IT person.

Icons courtesy of the Crystal Icon Set.

Finding Confidential Information Online – By Mistake

July 5, 2005

From Bruce Schneier’s blog and Boston.com:

Tax liens, mortgage papers, deeds, and other real estate-related documents are publicly available in on-line databases run by registries of deeds across the state. The Globe found documents in free databases of all but three Massachusetts counties containing the names and Social Security numbers of Massachusetts residents….

It’s easy to say “we haven’t seen any cases of fraud using our information,” because there’s rarely a way to tell where information comes from. The recent epidemic of public leaks comes from people noticing the leak process, not the effects of the leaks. So everyone thinks their data practices are good because there have never been any documented abuses stemming from leaks of their data and everyone is fooling themselves.

It can only be a matter of time before a lawsuit is filed because of this type of data leak. I wonder what the repercussions of that would be?

Fourth Amendment Puzzle

June 14, 2005

As a computer professional, I’m often very interested in these sort of legal questions, as they relate to technology. Here’s a bit of a quote from this article over at The Volokh Conspiracy:

Here’s the problem. Imagine that the police believe that there is evidence of crime on a suspect’s computer, but they lack probable cause to obtain a warrant to search it. The police ask the suspect if he will consent to allow the police to search the computer for evidence. The suspect agrees, and gives the police his computer to be searched. A few days later, the suspect talks to an attorney and the attorney advises the suspect to revoke his consent and demand the return of the property. The lawyer (or the suspect) calls the police and withdraws consent to search the computer.

[...]

But here’s the twist. It turns out that the first step a computer forensic analyst takes when seeking to retrieve evidence from a hard drive is to create a “bitstream copy” or “image” of the computer hard drive. The “image” is an exact copy of the hard drive that copies every one and zero on the drive. It is created for reasons of evidentiary integrity; searching a computer drive can alter the data it contains, so analysts copy the original and do all of the analysis on the image copy. After the drive has been imaged, there are two copies of the data, not one: one copy of data on the defendant’s property and another copy on the government’s machine.

Now, back to our hypothetical. It turns out that a suspect often withdraws his consent after the computer has been imaged, but before government has begun to search the image. (This is common because imaging can be done in a few hours, but most government forensic labs have long waiting lists for the actual analysis.) So here’s the big question: When the suspect withdraws his consent, does the withdrawal of consent also apply to the image? Can the police search the imaged copy, or will searching the imaged copy without a warrant violate the Fourth Amendment? In doctrinal terms, does a defendant retain a legitimate expectation of privacy in the image, and if so, does his common authority to regulate consent to search the original apply equally or differently to the copy?

My opinion on the matter (given my understanding of the law) is that the image made of the drive could be retained by the police – after all, you would hardly expect the police to give back a picture they took of a suspect if that suspect was later released. That’s my gut feeling on the matter, anyway.

If you disagree, or if you just have additional thoughts – please feel free to comment!

U.S. Medical Privacy Law Gutted

June 7, 2005

Bruce Shneier had this to say today in regards to changes in the way HIPAA rules are being applied.

I imagine that many of our customers will be interested in what he has to say.

• Subscribe

   Subscribe to our RSS feed

• Search for:

• Categories

  • Announcements
  • Ask The Geek
  • General
  • Legal
  • Newsletters
  • Tech
  • Technology & Law
  • Time and Billing Tips
  • Tips
  • TurboLaw Tips

• Tags

  announcement Ask The Geek billing divorce document software editing email error error messages events evidence excel financial forms forms guest bloggers help law Legal Legal Blogs legal news links massachusetts metadata news new software office 2007 privacy probate law reports screenshots security self-help software switching to turbolaw Tech technology time and billing timekeeping Tips turbolaw updates video word word 2007 word errors

• Archives

  Select Month August 2010 June 2010 May 2010 April 2010 March 2010 January 2010 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 November 2007 October 2007 September 2007 August 2007 July 2007 June 2007 May 2007 April 2007 March 2007 February 2007 January 2007 November 2006 October 2006 September 2006 July 2006 May 2006 April 2006 March 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005

• Legal Blogs

  • A Criminal Waste of Space
  • Acrobat for Legal Professionals
  • ACS Blog
  • Adam Smith, Esq.
  • Appellate Law & Practice
  • Criminal Appeal
  • Ernie the Attorney
  • Evan Schaeffer’s Legal Underground
  • Groklaw
  • Inside the Firm of the Future
  • LAWTECH GURU BLOG
  • Legal Ethics Blog
  • Legal Technology Blog
  • Legal Theory Blog
  • Mass Bar Association
  • Massachusetts Lawyer Blog
  • May it Please the Court
  • Media Law
  • New York Civil Law
  • Point of Law
  • PrawfsBlawg
  • Rory Perry’s Weblog
  • Sentencing Law and Policy
  • Stark County Law Library Blawg
  • Strategic Legal Technology
  • TechnoLawyer Blog
  • The Becker-Posner Blog
  • The E-Legal Lawyer
  • The Patry Copyright Blog
  • The Volokh Conspiracy
  • Underneath Their Robes