UPDATE: After I did the following post I received several e-mails from readers in Massachusetts noting that the effective date of the new regulation there was delayed until May 1, 2009. My colleague Rodney Dowell of the Massachusetts Law Office Management Assistance Program posted a primer written by one of his state's lawyers on how businesses should comply with this requirement.
Lawyers USA had a news story a few weeks ago about some new state laws requiring lawyers (and other businesses) to encrypt their data if it contained personally identifiable data. Obviously the point is to protect credit card numbers and other things that could lead to identity theft. But for lawyers, there could be many additional headaches. The Nevada law, which is already in effect, just relates to encrypting information sent across the Internet, like e-mail. And facsimiles are specifically excluded. But when one thinks of the many estate planning forms, tax forms and business entity creation forms that require social security numbers, you see the possibility of many inadvertent violations. As noted, a real "gotcha" could be replying to a client's e-mail that contains the personal information and having it quoted in the e-mail.
But it gets worse. The article notes:
"Massachusetts' new law [effective 1/1/09] goes a step further than Nevada's, requiring encryption not just of data in transit but also for all personally identifiable information about a resident of the state that businesses 'own, license, store or maintain' stored on laptops or other portable devices."
So if you are doing presentation in court and your trial presentation software cannot deal with encrypted exhibits, that is just tough, even though exhibits are going to be public record anyway? Or if your case management system cannot handle encrypted files, then you are just done with using a laptop? And is it OK to decrypt the files for a moment to use the data or is that illegal, too?
I agree with the underlying concept. If you are going to carry around thousands of customer's credit card numbers on a laptop or handheld, that information should be encrypted. The application of that premise to the business of law is a bit more uncertain. Even if you are not in one of these two states, it is time to look at this issue. As the article noted, 44 states now have laws requiring businesses to notify customers if there is a security breach and their information has been potentially compromised. The idea of a junior associate losing a laptop or having it stolen and the law firm having to notify every single client of this fact due to a practice management package on the laptop should be frightening enough to spur lawyers into action. Full disk encryption of firm laptops is the likely conclusion, but everyone needs to examine this for themselves.