Got PI or PII or PHI? - Personal Information (PI), Personally Identifiable Information (PII), and Protected Health Information (PHI) is held by nearly every organization. In fact, it takes very little to make PI:
- first and last name or first initial and last name; PLUS
- some identifying information such as a credit card number, a social security number, a drivers license ID number, a state-issued ID card, a credit/debit card number, a financial account number or similar identity information.
If your organization collects, owns, holds, or even transmits certain types of Personal Information, various state and federal laws require that it be protected. Data theft, identity theft, and especially ransomware are a growing concern. Not a week goes by without a report of another stunning data breach.
Data theft or loss triggers reporting duties, potential fines, possible legal liability, and potential reputational damage. The laws protecting consumers against the harms of data loss are growing stricter. Massachusetts has the status as the state with one of the most far reaching protections for the PI of its residents, wherever that data is located. That means, if you have financial information such as a check or credit card from a Massachusetts' resident, you must comply with the law - 201 CMR 17.00 - even if you are located outside Massachusetts. Data loss need not be related to theft; simply losing a laptop computer with protected information triggers reporting duties.
In the wake of the Facebook - Cambridge Analytica scandal the trend-line is moving toward the GDPR principle of "privacy by design".
Solutions to these challenges are both technical and legal. The Written Information Security Programs (WISPs) required to comply with the Massachusetts' law contain requirements for employee discipline, employee policies and training, as well as annual review. GDPR and CCPA push the requirements further. Legal issues are also implicated by the need to update or create retention and information governance (IG) policies for the organization. Regardless of where in the solutions process your organization is, we can help guide you toward appropriate solutions.
Our services include:
START HERE with a confidential attorney client privileged consultation - The atttorney-client privilege is far more protective than any NDA. The privilege applies to all communications seeking legal advice concerning technology solutions. The privilege can also be extended to non-lawyer consultants that we hire on your behalf.
Data Mapping & Gap Analysis - Sampling and deployment of manual and automated tools to identify and locate PI/PII. Gap analysis and project scoping assistance. See an example of a blueprint for GDPR and CCPA/CPRA compliance here.
Privacy, Identity Theft, and Written Information Security Program Compliance - Massachusetts requires any organization anywhere holding banking, social security numbers or other defined Personal Information (PI) on any Massachusetts resident to be protected by a comprehensive Written Information Security Program (WISP). We can draft or update a legally defensible WISP and conform it to an overall organizational Document Retention Policy as well as other information governance, security, and privacy laws. Massachusetts' WISPS should be updated annually, at which time a risk analysis of other applicable laws can be completed.
Identity Theft and FTC Red Flags Rule - The FTC Red Flags Rule requires that financial institutions and creditors to create a written Identity Theft Prevention Program for Personal Identifying Information (PII); the Rule defines "creditors" very broadly to include just about anyone who offers credit, including small businesses outside the financial sector; noncompliance with the Rule presents significant risk because it entitles the FTC to bring enforcement actions on its own; we can help conform your written Identity Theft Prevention Program with Massachusetts' WISP requirements and an overall Document Retention Policy
Vendor Selection & Contract Terms - Massive breaches have been caused by vendor vulnerability, such as the 2020 Solar Winds hack. We provide assistance in selection of vendors for privacy and information security programs; advise on contracting with all vendors who are in possession, custody and control of organizational data or records for compliance with Massachusetts 201 CMR 17.00 and similar laws that require protection of Personal Information. Vendor contracts should be reviewed annually for compliance.
Investigations - confidential response for internal investigations of harassment, fraud or information security breach involving an organization's IT system and computers
Privacy - confidential advice concerning privacy and information security laws including GDPR, CCPA, 201 CMR 17.00, Massachusetts Executive Order 504, HIPAA, Gramm Leach Bliley, the Patriot Act, and others
Employee Training - best practices for managing electronic records, legal hold, and litigation-readiness training; provide Information Security Program employee training required by GDPR, CCPA, Massachusetts regulation 201 CMR 17.00, FTC Red Flags Rule, and others
Technical training and "fire drills" available on confidential live client data to develop in-house expertise in the application of legal holds to electronic storage, records retention systems, and litigation readiness programs.
We provide preventative law services to organizations including public and private corporations, municipalities, government agencies, and educational institutions regarding legally defensible approaches to document retention policies, legal holds, email & unstructured data storage, litigation readiness, and information security programs. Our approach to these issues is to identify gaps and apply industry standards and best practices.
We work with our clients to take advantage of internal resources. We can supplement your team with a number of capable IT and RIM consultants to deliver effective solutions. We have experience in handling the most complex matters for multi-billion dollar enterprises, including those involving millions of electronic documents and terabytes of data.