How to comply with Massachusett’s data security law (Chapter 93H)
*Guest post by Tom Traina, Board Member of SOS. For more information on his practice, visit: http://www.geeklawyer.net
** Right click to download Attorney Traina’s powerpoint presentation
I’ve agreed to share the slides that I created for the Starting Out Solo presentation I did on data security and tools that will help lawyers comply with the new regulations promulgated under Chapter 93H.
There was some good discussion during the presentation that I feel would be helpful to people reading the slides that I will summarize now. The first matter is that, with e-mail, data security is much more difficult because a potential client who just wants to ask a question may not see a benefit in setting up a program like GPG just to ask what they think is innocent preliminary questions.
However, if two attorneys are collaborating and sharing sensitive information with each other via e-mail on a regular basis, using tools like GPG become much more important, as it is far more likely that information that needs to be protected will be shared with co-counsel. In that scenario, I cannot recommend using GPG and add-ons like FireGPG highly enough.
There was also some discussion of what the “reasonable person” standard would have to say about encrypting e-mails given lay people are unlikely to want to do so. I think it’s important to remember that when an email contains sensitive data that the client has sent you, you are still technically storing it in your e-mail account, and have all the responsibilities that that entails. The safest course of action is to ensure the email is sent and stored in an encrypted state, or remove it from the mail server as quickly as possible and store it on an encrypted file system like a TrueCrypt container.
In any case, I hope the slides provide some useful pointers for you all. If you come to SOS monthly meetings, I’ll answer any questions I can about the technical side of Chapter 93H compliance.
-Tom Traina
GeekLawyer.Net