What the New Massachusetts Data Security Regulations Really Mean for Small and Mid-Size Law Firms

You may have heard of the new regulations released by the Massachusetts Office of Consumer Affairs and Business Regulation – specifically, 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth (PDF link).

These regulations apply to anyone who owns or licenses certain information (so-called “personal” information) about a Massachusetts resident, but for the purposes of this discussion, we’re going to limit ourselves to how these regulations apply to law firms.

Many law firms, and especially smaller firms, don’t have an in-house IT person or technical staff, which leaves the attorney or office manager to grapple with the issues raised by these regulations – issues which in many cases go well beyond their areas of expertise. The goal of this article is to help people understand how these regulations apply to them in plain English.

Note: While we hope you find this article helpful, this isn’t meant to be a definitive guide as to what you should do to make sure your firm complies with these new regulations. This is just general advice and tips.

First, some definitions – the regulations themselves contain a far more extensive “definitions” section (see section 17.02 of the actual regulations) – so we’ll just cover the basics here.

What exactly is “personal” information? The regulations define what constitutes “personal” information – specifically, information that is personal is: A person’s first & last name (or first initial & last name) in combination with any one (or more) of the following:

  • Social Security number
  • Driver’s License Number (or other state-issued ID number)
  • Financial account number(s) (checking/savings account number, etc.)
  • Credit card number(s)

What exactly am I required to do? In general, you have to take steps which are appropriate to the size, scope, and nature of your business to protect “personal” information from unauthorized use. More or less, this means coming up with a (written) plan to make sure that the personal information you have is kept safe, keeping that plan up-to-date and making sure everyone in your firm is educated about the plan.

Section 17.04 of the regulations spells out what you have to do as far as computer security is concerned. This section is broken down into a number of topics relevant to computer security.

Secure User Authentication: This is a very technical way of saying “user names and passwords.” In general, the longer your password is, the more secure it will be. For most people, the password you need to worry about the most is the password you use to log on to your computer (that is, log on to Windows). Fortunately, Windows allows you to use very long passwords – you can even use spaces and upper & lower case letters – so you can pick very long, but easy (for you) to remember passwords. You can use entire sentences, complete with punctuation, if you want.

For example, the password (or “pass-phrase” as it’s sometimes called when it’s this long) “I grew up on my uncle’s farm in Sudbury, Massachusetts” is very long (54 characters) – which makes it very strong. (A 54 character password, using just the letters, numbers, and punctuation marks on your keyboard, has something on the order of  2.564 x 1091 possible permutations!) The benefit of a long pass-phrase like this is that its length gives it strength (it’s hard for someone else to “guess”), but the fact that it’s a plain English sentence makes it easy for you (the user) to remember. After all, a good password does you no good if you can’t remember it!

Another useful tip is that most computer systems have a limit on the number of times you can try to log on while getting the password wrong (3 or 5 are the usual number of tries you’re allowed). After you’ve tried to log on a few times, but gotten it wrong, you might be locked out – or you might have to wait a period of time before you can try again. This helps prevent people from just guessing passwords as fast as they can (usually automatically using another computer).

However, the built-in “Administrator” account in Microsoft Windows (and in other operating systems too, like Mac OS X and Linux) usually has no limit on the number of times the password can be guessed (after all, you need at least 1 account that you can’t be locked out of, so that you can log on and unlock the people who guessed wrong). It is very important to set a very strong password for the “Administrator” account. If your “Administrator” account doesn’t have a good password, then all of your other good passwords are useless, since by definition the “Administrator” account has access to everything on your computer.

Secure Access Control Measures: In general, this means that people only have access to the files & data that they actually need to get their job done. Your bookkeeper, for example, doesn’t need access to your client’s financial statements – that’s not part of his or her job. Likewise, your receptionist doesn’t need access to your firm’s financial records (unless your receptionist is also your bookkeeper of course!).

All versions of Windows since Windows 2000 provide easy ways for you to set “permissions” on files, so that you can give access to files to some users, but not to others. However, these “permissions” depend on the user who is logged onto the computer – so if you have two or more people “sharing” a computer, make sure that you have a separate user name for each of them. Otherwise, from the computer’s point of view, they are all the same person and have access to the same files.

Secure access control also means disabling or deleting user accounts for people once they no longer work for you anymore – this is something that many people forget to do, and the result is that the ex-employee now has a “back door” into your files. Even if he never intentionally uses it, the account is still around, and he may re-use his password somewhere else, and it may get stolen, and now whoever stole the password has access to your files!

Encryption of personal information sent over public networks (e.g., the Internet): For most people, this refers to email – but it can also refer to websites where you upload files or enter and save information.

Encryption is a complicated topic in itself – but you can think of it as “locking” something in a box or safe, so that no one else can open it up. In respect to email, encryption means that you lock the email before sending it, and the recipient also has to have his own copy of the “key” so that when he receives it, he can unlock the email.

The difficulty here is of course that the recipient must already have the key to unlock the email in the first place. It’s sort of a catch-22 situation – no matter what you do, you need the recipient to somehow already have the “key” before you can send encrypted email. There is no easy answer to this – other than not to send “personal” information via email in the first place. There are many different third party services which offer ways to send encrypted email – but all of them involve making the person to whom you’re sending the email have to do something “extra” to get your message. Whether this involves signing up for an account with the third party service or something else entirely, he will have to do something. (This is one of the main reasons that encrypted email – although it’s been possible for years and years – has never caught on.)

As far as email is concerned, it’s worth remembering that you only need to encrypt emails that contain “personal” information – and remember that “personal” information isn’t just someone’s name, it has to be a name and some form of ID number (SSN/License/credit card/etc.). So if you never send that sort of stuff by email, you’ll never have to encrypt your email.

If you only need to send personal information by email once in a while, you might be able to get by with one of the third party solutions for encrypted email – assuming that you let the recipient know in advance that he’s going to have to do something extra to get your file. Alternatively, you might turn to a secure website for transferring files – we’ve talked about this before here in our article on “Solving the problem of sending sensitive files by email.”

If you upload files that contain personal information to any website (or if you enter and save personal information into a website), chances are that the website already has encryption – just look for the little “lock” icon that appears in your browser when you visit that site. If the “lock” icon is there, then the connection is encrypted.

If you use a third party website which saves personal information, you also have to check with the provider of that website to make sure that the information you’re saving there is also adequately protected – basically, the people who run the website have to comply with the Massachusetts regulations just as you do.

Reasonable Monitoring: In general, this means exactly what it sounds like – take reasonable steps to monitor your computers and make sure that no unauthorized use has taken place. In other words, it means “be aware of your stuff.” Of course, what constitutes “reasonable” will depend greatly on the size and resources of your firm, but in general you’d want to have some sort of record or log of (for example) when someone tries unsuccessfully to log on several times (this might mean that someone’s trying to guess your password and log on).

Encryption of Personal Information on Laptops and other Portable Devices: This part of the regulations is required because laptops and other “portable” computers (netbooks, iPhones, Blackberries, etc.) are naturally more susceptible to being stolen, due to the fact that they are portable – you might forget your laptop somewhere, or it might be stolen, and so on. Because of this, you need to take extra precautions with the information on portable computers.

For example, if someone steals your laptop, even though you have a very good, strong password that prevents him from just logging on and reading your files, he can still just take your laptop’s hard drive out of the laptop and plug it into a different computer and read the files off of it. (The same thing goes for desktop computers as well, but since they are safe behind the locked doors of your office, it is less of a worry.)

To prevent someone from just reading the files off of your laptop’s hard drive, you need to “encrypt” the files – basically, locking them with a “key” which only you know. Fortunately, this is not very hard to do, although there are many different ways to go about doing it. We’ve talked about encrypting your client files here before, in our article on “Keeping your Client’s Data Safe.” If you use Windows, and you have a good, strong password, you can use the encryption that is built right into Windows itself (see our article for links on how to go about doing this).

The only files you absolutely have to encrypt (as far as these regulations are concerned) are the files that contain “personal” information. However, if you have lots of files in many different programs all over your computer, you may want to encrypt the entire hard drive (using “whole-disk” encryption). The top-end editions of recent Windows versions (e.g., Windows 7) have whole-disk encryption tools built-in, or you can use a third party solution.

As far as portable devices (iPhones, Blackberries, etc.) go, there may be encryption software available, or you may be able to use a PIN/password feature of the phone itself to “lock” the phone completely so that if it’s stolen, no one can use it (without erasing the phone’s memory, which of course also erases any personal information, thus keeping it safe from unauthorized use).

Up-to-date firewalls, anti-virus, anti-malware: This section of the regulations is just formalizing what you should already have – to use a computer that’s connected to the Internet these days without some sort of firewall or anti-virus is just asking for trouble. Fortunately, all of these options are very easy to take care of.

If you have an Internet connection to your office, chances are you have some sort of “router” into which you plug your computers and which then is connected to your actual Internet connection (DSL/Cable modem, etc.). Your DSL or Cable modem may even be a router itself – this depends on your Internet provider and the manufacturer of your DSL/Cable modem. Most modern routers also act as a firewall as well, keeping the computers in your office “invisible” from the outside Internet. Some even offer more advanced filtering options – you should check the manual that came with your router to be sure.

In addition to your router, chances are your computer itself has a “software” firewall built in – all versions of Windows (since Windows XP Service Pack 2) have a firewall built in. As long as you haven’t turned it off, it should be silently doing its job, keeping outsiders from connecting to your computer.

Anti-virus and anti-malware programs are likewise easy to come by, although you need to take care with selecting a reputable vendor, as some spyware/malware disguises itself as anti-spyware or anti-malware programs – so you think you’ve installed a program to protect you, when in fact it is not doing anything but infecting your computer!

There are many well-known names as far as anti-virus programs go – and most of them are available as a “suite” of products, that includes a firewall, anti-virus, and anti-malware. Some you must pay for (and these usually include extra options, for example the ability to administer remotely the settings for all the computers in your office), while others are free. Although we tend not to recommend any one product over another, Microsoft does have an anti-virus and anti-spyware program called Microsoft Security Essentials which is both free and very effective. There are of course other products, which you can easily find both online and at your local software/office supply store.

Education and Training: The final aspect of these regulations involves both education and training. Basically, all the security in the world won’t do any good if the people using the systems aren’t educated about how it works and what they need to do to keep it working. Keep yourself and your staff informed on what proper procedures are for handling personal information in your firm so that no mistakes are made. (For example, you might prohibit your staff from copying files with personal information onto USB flash drives to take home and work on – since their home computers and the USB flash drive itself are not subject to your control and might not be secure.)

In many security breaches, the problem is often not a technical one, but instead a case of “human error.” So keep your staff informed on how personal information must be treated and you will help greatly reduce the chances of unauthorized use of personal information.

Final Thoughts: Although the new Massachusetts data security regulations may appear to be somewhat complex or demanding at first glance, many of the things mandated by these regulations are actually things you are already doing (or should be doing). Although you do have to do some extra work to keep on top of your security policy (such as writing it down and keeping it up-to-date), most of the other things you are required to do are relatively easy to accomplish.

Remember, this guide is just a guide – although it is very easy to learn how to secure your computer systems using the information found here and elsewhere; if you’re not confident that you can do it, please seek the advice or help of a competent computer technician or IT person.