Bar News - June 15, 2012
Personal Data Security Trends and the Attorney-Client Relationship
By: Sean Galvin
Two fundamental duties of an attorney are keeping client confidences and competency in their representation. In todayís technology-driven environment, these two duties may also have regulatory and statutory components beyond professionalism and professional-conduct precepts these may require implementing technical, physical and administrative safeguards to protect information.
Historically, ignorance of the law is no defense. Equally unconvincing today is technology and data-privacy ineptitude. In the past, an inadvertent or accidental disclosure by an attorney or the nefarious interception of confidential client information by another may have been defensible. However, this defense may be less tenable today if the disclosure could have been prevented by reasonably adequate safeguards. And, with expanding technology in law practice, the increase in identity theft and the recent publicity related to data breaches, legislators and regulators are now engendering and enforcing laws that affect how lawyers practice.
Perhaps the most detailed and significant law affecting lawyers is Massachusetts General Laws Chapter 93H ß 1, et seq., which was promulgated in October 2007 by the General Court for the Commonwealth of Massachusetts ("Chapter 93H"). Its corollary, Section 201 of the Code of Massachusetts Regulations Section 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth ("CMR 17"), was promulgated in November 2009 and drafted by the Office of Consumer Affairs and Business Regulation Department. CMR 17 sets forth, inter alia, the minimum appropriate technologies for those that own or license personal information of Massachusetts residents, related security-breach notifications and associated enforcement rights of the attorney general for those that fail to properly safeguard personal information.
Under CMR 17 "personal information" is clearly defined as "a Massachusetts residentís first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driverís license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a residentís financial account;" Id. at 17.02. To "own or license" means to receive, store, maintain, process, or otherwise have access to personal information in connection with the provision of goods or services or in connection with employment." A failure to properly protect personal information that a lawyer owns or licenses may end in injunctive and pecuniary enforcement by the attorney general (e.g., fines of up to $5,000 per violation, injunctions to enforce or enjoin certain actions by violators, and reimbursement of legal and investigative costs borne by the Commonwealth).
A few examples of the regulatory requirements set forth in CMR 17 are that you must (i) have a written information-security program, (ii) name or identify a person or persons responsible for the information-security program within your organization, (iii) provide training for employees (and contractors), (iv) develop policies for personal information that leaves the premises, (v) encrypt all personal information stored on laptops or other portable devices, (vi) have contracts specifically address CMR 17 and adequate safeguards for the protection of personal data for third parties receiving personal information, (vii) encrypt all personal information being transmitted over public networks and (viii) implement reasonable monitoring of systems to detect unauthorized use of, or access to, personal information.
CMR 17 is succinct and clearly delineates the technological requirements without much ambiguity, but these requirements may significantly affect how most law firms do business, train staff and allocate operating and capital expenditures. The more onerous requirements may give pause to those who are unfamiliar with the technology concepts, especially the small-to-medium-sized firms without an in-house IT department. For instance, encryption of all laptops and portable devices that contain personal information and sending information encrypted over public networks may be new concepts for some lawyers. It should be noted however, that the size, scope and type of business will be important factors in gauging what controls are reasonable and could affect how enforcement actions are addressed from one investigation to the next, but this provision will likely be applied by the attorney general on an ad hoc basis and should be relied upon with prudence and caution. A law firm that does not implement certain safeguards should assess its gaps in compliance and specifically document why certain things werenít done due to size, scope and business type, or what compensating controls were implemented based on these factors. Only after a thorough understanding of these requirements and implementing all feasible safeguards can one begin to impart appropriate reliance on size, scope and type of business if an enforcement action is to take place. Another provision worth noting, and one that may be a surprise to some, is the requirement that all personal information on a portable device be encrypted, including any portable-storage device (e.g., a Universal Serial Bus or "USB").
One recent case that illustrated the application of Chapter 93H and CMR 17 is Katz v. Pershing, LLC, in which a class of petitioners sued a service provider, Pershing, in federal court, who received personal information when providing brokerage clearing services using proprietary software to customers of an investment broker alleging, inter alia, redress for violations of Chapter 93H. In this case there were many claims addressed; however, most notably, the court provided guidance to those who may have feared a deluge of class-action litigation by holding that the statute was not intended to provide standing for a private cause of action and was limited to the attorney generalís right to enforce. The case focused on statutory breaches, with only speculative harm based on speculative unauthorized access or use by a service provider. Although this case did not provide for a private cause of action under statute, the message that individuals are seeking redress and are aware of Chapter 93H and CMR 17 is clear. This case is significant, but it does not mean that there will not be tort liability resulting from violations of Chapter 93H or CMR 17 in that it will likely be used to adduce a deviation of the standard of reasonable care and support possible negligence claims.
In another matter, the Massachusetts attorney generalís office evidenced its willingness to enforce this statute. The office filed a final judgment by consent in Suffolk Superior Court on behalf of the Commonwealth of Massachusetts along with Briar Group, LLC, a restaurant owner that had credit- and debit-card information hacked. It was found that reasonable steps addressing data-security safeguards were not taken. For example, Briar failed to change user names or passwords, allowed shared passwords, failed to terminate former employeesí passwords, failed to secure remote-access utilities and its wireless network and stored information in clear text on its systems. As part of the judgment by consent, the attorney general required the implementation of a written information-security program, adherence to Payment Card Industry Data Security Standards when transmitting credit-card data and the implementation of password and data-storage changes and imposed a civil penalty of $110,000. This case exemplifies the attorney generalís willingness to engage in enforcement actions and the heightened requirements placed on those that own or license personal information of a Massachusetts resident. It is now clear that these violations will be investigated and enforced with significant fines.
Enforcement actions and potential lawsuits are important factors for law firms to consider in formulating their information technology budgets, data-privacy policies and hiring third-party providers. However, the potential inordinate damage to the reputation of a firm or an attorney resulting from publicity or judgments evidencing systemic failures should be of equal concern. Interestingly, this matter arose out of failures to protect personal information in 2009, before CMR 17 requirements came into effect on March 1, 2010.
More recently, Belmont Savings Bank, pleading not guilty, entered into an assurance of discontinuance with the Massachusetts attorney generalís office after a tape with the personal information of 13,380 Massachusetts residents was lost. However, there has been no information produced to indicate whether the personal information was used in an unauthorized way or by an unauthorized person. It is alleged that an employee left an unencrypted backup tape containing personal information on their desk instead of storing it in a secure vault. It has been reported that a surveillance camera showed a cleaning-crew member discard the tape, which was likely later incinerated. In this assurance agreement, the alleged violations of CMR 17 were for failures to follow Belmont Savings Bankís written information-security program and failing to encrypt taped backups. Some of the assurances by Belmont Savings Bank are that (i) all laptops, portable devices, backup tapes, etc., will be encrypted, to the extent technically feasible, (b) the transmitting and storage of tapes will be done securely and (c) all members of the workforce will require training on policies and procedures for protecting personal information. Belmont Savings Bank was fined $7,500, and the Commonwealth reserved the right to further enforcement if the lost tape results in "actual harm." Invoking the standard of actual harm in this context is itself controversial, as some argue that the mere loss and subsequent uncertain disposition of the personal data constitutes actual harm. Lastly, the attorney generalís office has relied on this provision at least twice reserving its rights to further enforcement if there is subsequent harm, which will likely cause monitoring, unknown exposure to future liability and other concerns.
These laws and trends are and will continue to change how lawyers practice and what were once thought of as esoteric information-technology concepts have become requirements to be understood and carried out by all. The expectation today is that, if a firm or attorney handles personal information, it also must have a basic understanding of these concepts and ensure that actions are being appropriately taken. As indicated above, if they are not, residents and the attorney general for the Commonwealth of Massachusetts will seek redress and other states are likely to follow with more specific requirements.
Lastly, this article did not address professional conduct, but it should be noted that it is very important in considering data privacy, and that attorneys need to also analyze and consider what effects a failure to follow regulatory and statutory requirements related to protecting clientsí personal information may have now and in the future.
Sean Galvin is licensed to practice in Massachusetts and New Hampshire and provides in-house legal counsel to an organization on domestic and international legal and business issues such as, risk, litigation, contracts, licensing, negotiation, compliance, regulations, commercial real estate, bankruptcy, employment matters and mergers and acquisitions.