Your trust in us is paramount, and maintaining the privacy of your personal information is our priority.
Massachusetts has recently enacted new data protection regulations, and Prince Lobel wants to make sure you are aware of the latest requirements, and inform you that the firm has implemented strict privacy policies that both comply with the law and ensure the safety and security of all personal information shared with the firm.
How is personal information defined? Personal identifiable information (PII) is an individual’s name (first and last name, or first initial and last name) in combination with one or more of the following:
- Social security number
- Driver’s license number or state issued ID
- Financial account number or credit/debit card number (with or without PIN or password)
As a law firm, Prince Lobel has access to such information, and therefore, is at the forefront of creating and implementing firmwide policies and procedures to protect our clients’ personal information. If your business handles the personal information of a Massachusetts resident, no matter what type of business you’re in, large or small, for profit or nonprofit, you need a WISP (Written Information Security Program).
Prince Lobel has developed a comprehensive WISP, and has held mandatory training sessions for all staff and attorneys to ensure compliance at every level, in every department, at all times. Examples of the provisions the firm has implemented per the new regulations include:
Appointing a security officer responsible for administering, maintaining and updating the WISP.
Identifying all information as either public or confidential. Any document that contains personal identifiable information must be labeled confidential. Any information not visibly labeled will, by default, be treated as confidential.
Identifying, documenting, and restricting access to every location that contains PII, whether that location is electronic, portable, or physical.
Assessing risk. On an annual basis, or as often as necessary, the firm will assess the reasonable foreseeable internal risks to the security of PII. Types of risk to PII include unauthorized access, network or computer security breaches, stolen laptops, mobile devices or other equipment, etc.
Limiting risk. By identifying the possible risks to PII, the firm has implemented safeguards that include (but are not limited to), collecting and maintaining only as much client information as is necessary, restricting access to PII, creating a strict approval process, and assigning unique user IDs and passwords that cannot be reassigned and are deactivated when an employee leaves the firm.
Working only with third-party providers who can comply with the privacy laws (201 CMR 17). For contracts signed after 3/1/10, these providers must be contractually bound to maintain the appropriate security measures.
Shredding hard copy waste that contains PII, and immediately removing documents that contain PII from copy or fax machines. Faxes that contain PII must be sent to either a locked room with authorized access only, sent to a password protected fax mailbox, or the sender must make sure the authorized recipient is on hand to receive the fax.
Electronic communications. Prince Lobel has implemented a “secure send” option to ensure that the PII contained in an email can be viewed only by an authorized recipient.
Employees who work remotely or travel on firm business must adhere to the same strict access policies, and ensure that Prince Lobel business information is adequately protected. Firm IT personnel must approve the security measures on equipment used to conduct business from a remote location.
Developing disciplinary rules. All employees, whether they are full-time, part-time, contract, or temporary, are required to comply with the firm’s WISP. In case of WISP violations, the firm has developed strict disciplinary rules, regulations, and punishments.
Ongoing training. The firm will conduct annual training for every employee, and will review the current WISP annually, or whenever there is an incident, a threat has been identified, or there has been a significant change in business practices.
If you haven’t already done so, your business needs to create a WISP – and Prince Lobel can help. To start, please consider the following:
Don’t cut corners. Don’t just pass along the requirements of the regulations verbatim. Take the time to analyze your systems and practice of collecting, maintaining, and disposing of personal information.
Consider the liabilities. Improper or unauthorized disclosures of PII can result in consumer class actions, regulatory action, and private actions for recovery – all of which can amount to a significant financial liability. Having a WISP, while not a complete failsafe, can serve as a formidable defense.
Review your website privacy policies. Are they effective? Are they current? Do they accurately reflect your actual policies with regard to PII and data protection? Policies that promise protection to consumers and employees but are never implemented can do more harm than good in the event of a breach.
The WISP is an early-warning system. A well-crafted and implemented WISP can be your first line of defense in case of a breach. Being able to intervene from the outset and notify the affected parties and appropriate regulators early in the process can help mitigate damages and potential fines.
Penalties for noncompliance. The attorney general can bring action against a company for failure to comply, and a business can be liable for a civil penalty in the amount of $5,000 per violation. Whether or not this penalty will be assessed on a per document basis remains to be seen, but the potential for huge regulator penalties is a distinct possibility.
If you would like assistance creating, revising, or implementing a WISP for your business, or need more information about how to comply with the new regulations according to 201 CMR 17.00, please contact the author of this alert, Peter J. Caruso II, at 617 456 8034 or [email protected].