For a recent presentation at the Massachusetts Bar Association covering the startup of an Immigration Law practice (which was, incidentally, really well done, covering, as it did, general, as well as immigration law-specific, topics of interest, this all being a credit to the speakers and to the program chairs, Roy Watson and LOMAP’s own Rodney Dowell), I was asked to consider the use of practice management software generally. Now, of course, I’ve considered this before, and the subject comes up in nearly every attorney consult-meeting we have; but, there’s something about putting it all down on paper, and outlining a subject. Immediately after my presentation piece ended, and just before I sat down to fill out an evaluation for the strikingly handsome speaker that had just finished, my first thought was: “Yes! My blog post for this week is nearly done.” And so it was.
We have written previously at the blog on the topic of practice management software, with Rodney (backed by a post and linked article emanating from David Bilinsky’s Thoughtful Legal Management blog) advising that the use of such software means that you’ll have more time, make more money and get more sleep. (All good things; but, let me know when someone comes up with a way to make more money while sleeping. You can wake me up for that. But, then, let me go back to sleep, again.) I intend to present more of a general overview of Law Practice Management Software with a handful, or two, or some, particular options. So, feel free to review both this post and that last post in companion; but, don’t miss this one: there’s a special announcement at the end. Shhhhh (for now).
. . .
The preliminary question, of course, is: What is Law Practice Management Software? (Of course Wikipedia would let me down this time, right? I guess I’ll have to field this one myself.) The easiest way to think about Law Practice Management Software is to think of it as a computer-based, or virtual law office management system. (Think about your client contacts, client info, email, files and file cabinets, the Redbook, your sticky notes, your research files, all neatly bundled, searchable, and prepared for your easy access. Too good to be true, you say! Nay.) It’s your one-stop management space. The aspects embraced, and alluded to before, include: client contact information, schedule and appointment management (with reminder options), deadline and task management (with reminder options), email archiving, document management and (if you choose to purchase an associated time and billing program) time and billing and financial accounting, including trust accounting. Now, that is a mouthful. Overwhelming? Nah. Law Practice Management Software makes it all easy. Here’s why: You’ll now have an accessible, single dashboard that provides you with a holistic view of your practice (all of your cases) as well as, at a secondary drillbit, a client-, or matter-, centric view (one case at a time), from where you can move down through files, like flipping pages, only easier, and with less walking, man. Plus, genuinely intuitive, tabbing functionality allows you to maneuver easily, in ways you recognize, and understand. And, you can sync Law Practice Management Software with your email calendar. Oh, and there are one-touch billing options and linking with your online accounts. (Damn, that’s sweet. (I know, that’s what I said!))
Alright . . . Bells. (Check.) Whistles. (Check.) Now, Why do you really need Law Practice Management Software? Well, two main reasons. And, these also happen to be the two main reasons that people get in trouble with the BBO (you remember the BBO). Hmmm, How ‘bout that? So, attorneys generally end up running afoul of the BBO because of: (1) lack of client contact (you never call your client; they’re angry; they call the BBO about you, saying you charge too much and never call; the BBO calls you; you shriek); (2) financial management missteps (you better watch out; you better not cry; you better not pout; you better have your reconciliations). What Law Practice Management Software does is provide you with (potentially synced) calendaring, task and deadlines options, including reminders (that’s 1) as well as (potentially synced) billing options, operating account and trust account management (and . . . that’s 2). Of course, there is always the potential for human error; and, although your Law Practice Management Software system will provide you the tools to manage your client contacts and financial accounts, you have to use those tools correctly, and you must stay on top of things, in order to truly keep yourself out of trouble. Add to the benefit of serving as an aid to keep you out of trouble the facts that Law Practice Management Software provides you those various levels of viewpoint, increased efficiency and integration.
If you’re already starting to whine now: Oh, but I haaaaate technology. Well, that’s cool, because I do, too. There’s nothing that pleases me more than logging off of a computer or shutting down a blackberry. However, since there’s no money in farming, we’ve all got a job to do, and I’ll be damned if I am going to avoid useful technology that makes me more efficient based upon some Amish philosophy that I’d like to apply to a perfect world. Waste your time, instead, mastering the technology, so you can get home and spend some time with your kids. And, if you’re not tech-savvy, take the time to analogize your way through it. There is an offline equivalent for everything you do online: Your Law Practice Management Software is your file cabinet. Your files are still your files. Your Redbook is your electronic calendar. Think of it in whatever way it takes to make it work.
You have two overarching choices to make before you select a Law Practice Management Software. The first choice in your legal Choose Your Own Adventure is whether you want to go with a software download or an SaaS (Software as a Service) model. Everybody knows what a software download is: you pop your CD into your computer, you download a program, and that program lives on your computer. SaaS, though, takes the software off of your computer, and makes the software accessible via someone else’s (the provider company’s) server. You log in to access your information that someone else stores, maintains and protects. Now, there are certainly advantages to using an SaaS model over a traditional, software model, not the least of which is the fact of increased mobility (anywhere you have an internet connection, you have access to your stored information and your program features). The SaaS model, also, does not use any space on your device(s), so you’ll have more memory for your massive iTunes library. (Oh, sorry, that’s me.) Of course, there are downsides to the SaaS model, as well, including perpetual monthly fees (for maintenance of the server you’re using), and the fact that your information is somewhere where you do not have essential control over it, somewhere on the computing cloud. The cloud computing issue also raises the specter of potential security breaches stemming from unauthorized access, especially relevant given the pending effectiveness of the Massachusetts statute on the subject. Despite the potential drawbacks, though, SaaS is the wave of the future. It just is. It’s easier. It’s less hassle for you. There’s the potential for more direct support and assistance. (Sure, at some points the service provider will need to access your information, but so does your IT guy when he troubleshoots. And, confidentiality and obligations to protect information can be memorialized by contract.) With more users coming in, costs can be decreased. And, with respect to the question of breach, I’d be more concerned in keeping my stuff on my computer, frankly. If you’re a solo attorney in Mendon (sorry, Mendon, I still love you), who do you think has better internet security: you or Apple? Law Practice Management Software delivered by Saas: Be here now, because it is. The key to the SaaS Law Practice Management Software option is that you choose a reputable company that will be around for a while. If you choose a fly-by-night operator, you risk that company’s shutdown and the loss of access to your information.
But, choice, choices, choices . . . What should you choose?
Here are some specific options, broken down by category:
Software
PracticeMaster is the system we use here at LOMAP because it is an affordable and robust option for solo and small firm attorneys. We have demo versions available upon request. (Starting at $150)
Amicus Attorney is a fulsome system with features that include team research sharing and template document (macro) creation options. (Starting at $499)
Time Matters is the LexisNexis entry in the field, with all of the LexisNexis bells and whistles and all of the LexisNexis pricing. Features include project management options. (Starting at around $1,200)
Abacus Law has specific practice area versions of its product, as well as a general version. Features include rules-based calendaring and specific sync and integration options. (Price via Quote)
Needles is highly customizable software popular with personal injury and worker’s compensation attorneys. (Starting at $1,000)
PCLaw is a very sophisticated time and billing program that has case management functionality, such that some attorneys use it as a practice management system. (Starting at around $1,200)
SaaS
Clio is an intuitive product, based on familiar interfaces, so that it can be used “out-of-the-box”. Features include a timer, for billing. ($49 per month)
Rocket Matter is another intuitive product (think Apple-style: you remember Apple, and you remember Jeep). ($60 per month)
The second overarching choice you’ll have to make is whether you are going to also purchase the time and billing add-on for your Law Practice Management Software. You’ll have four options: (1) buy the Law Practice Management Software; (2) buy the Law Practice Management Software and its Time and Billing Add-On; (3) Buy a Separate Time and Billing Program; or (4) buy a Separate Time and Billing Program, and try to sync it with your Law Practice Management Software. The obvious advantage to buying the add-on, is that there is an easy sync, and you get your easy integration. Of course, you may save money buying a separate time and billing program, or maybe you just like a certain time and billing program, and don’t want to give it up. If you don’t know which time and billing program you might like, look into these:
Times & Chaos ($45)
RTG Legal ($95)
BSA ($300)
Quickbooks ($320)
And, although Quickbooks is a general accounting software program, it can be turned to an attorney’s use, even for trust accounting. And, to that end, we have made a short PDF guide available as well as the “Maintaining a Trust Account Using Quickbooks” book (2004), the latter available for your checking out of our lending library for a limited time period, the former yours to keep, via email attachment.
Now (and this is at the end (yes, this is nearly the end) because it is the most important consideration), before you get into any Law Practice Management Software system, keep in mind that: it’s easy to get in, but it’s hard to get out. Law Practice Management Software programs are so useful, in large part, because of the mass of information accessible through them. Of course, all of this information is of your providing. If you have been using Law Practice Management Software for any length of time, you will have mass amounts of important information saved through the program. The obvious, thorny question, then, when contemplating a switch, involves how to extract (from your old program) and then import (into your new program) all of that information. Oftentimes, the answer is that you may be better off sticking with what you have, sticking with a program you’ve fallen out of like with, because the transfer of information is just too costly or too inefficient. So, put in your research time ahead of time, and your testing time as well, and choose a product intelligently.
If there is just far, far too much information to handle at one sitting here, I understand. It’s nearly too much information to draft at one setting. There are, however, two tools available for your aid, and for your learning pleasure:
Check out the ABA’s fine overview of Law Practice Management and time and billing Software options, here.
Or, come see us, and try-before-you-buy, with our Technology Center. LOMAP’s Technology Center is a dedicated computer terminal (if you’re Abe Vigoda, laptop if you’re Abe Vigoda’s grandkids, or something (Seriously . . . he’s known for “Good Burger”--what in the hell did Fish do to the guy who wrote his Wikipedia page?)) upon which we have downloaded software/provided web access (SaaS) to various Law Practice Management Software programs. We have several options available already, and will add further options as we receive latest versions of same. You might be asking now, Why would I come into your office to try these programs when I can just do the online demo? Well, the simple answer is that we know people. And, the versions that those people that we know have supplied us are more fulsome than the demo versions you’ll look at: you’ll have access to more features. So, stop asking your infernal questions, and just come on down! If you bring gummi worms (Sathers are best), I may even sit down and walk you through things . . .
Now, when you end up getting your Law Practice Management Software program, there’s no need to thank us . . . You’ll be too busy counting the ways you love it anyway.
. . .
Alright, I gotta run for now, in keeping on and keeping with keeping this one relatively short (haha, I know, I know). I’ve got to be well-rested enough for dinner Friday night at the in-laws. Don’t want to fall asleep in something au gratin, you know. (It started as dinner and then became Reno.)
Check Out Our Website
A Law Practice Advisor for Massachusetts Lawyers
Friday, September 25, 2009
Wednesday, September 16, 2009
The Thing is More Than Half Done Already: Economic Downturn Also Offers Unique Opportunities for Law Graduates
So, you went to law school. Now you’ve graduated, and you haven’t yet found a job. Or, you’re starting school again, entering your 3L year. Now you’re worried that you might not find a job. Well, as you know, you’re in it now. And the question is not whether to proceed, but, rather, how to proceed.
Of course, the sky is not cloudless. Anyone who says that the legal profession is not presently one in flux, and featuring large amounts of holes and its share of disjunctions, does not have his or her eyes open to the reality of the situation. Problems like: For one, most lawyers don’t make near as much as people think they do, including you. Oh, and then there’s your student loans. Don’t forget those. For another, there is the entrenched billable hours problem: the foisting of a twentieth century idea of charging upon the twenty-first century minds of your savvy clients. Oh, and everybody passes the bar now, too, which means it’s harder than ever to get a job, with all that mass of competition out there.
You have a stomachache yet? I do. And, I’ve even been out for a little while now.
But, it can’t be that bad, right? As bad as everyone says it is, right? Well, it’s pretty bad. The economy sucks for everybody right now. But, this is not to say that there is no hope. I believe that, despite the dragging of the general economy, and despite the dragging along of the legal profession, that unique opportunities are now being presented to diligent law students turning attorneys. And, I intend below to present selections tending to four categories. I’m not attempting a magic, fix-all elixir here (nobody has that), but what I am saying is that, for those willing to hustle, a passable existence can still be scratched out while you wait out the improvement of the general economy in your foxhole of some kind of security. As you consider that, that the creation of a reputation is not a one day, or a one year, process, consider also that this too shall pass, as all things will, and do. You must not only keep in mind keeping yourself afloat for now, but you must also determine how what are you able to do, especially in light of the circumstances of today, will begin to look five, ten, twenty years down the road.
Engage in Social Media. You know, just because you don’t have a ton of experience doesn’t mean that you can’t engage in the discussion. A learning experience on social media sites can become the seedlings for your own growth of reputation in a field. There is still a cultural disconnect with respect to the use of social media and new technology as between older generations and younger generations: older generations, who’ve never had Facebook, think Twitter is, like, the most awesome thing ever, and is a great business tool, to boot; younger generations have been using social media for quite some time, and began that use for strictly social purposes, and tend to wonder why Twitter is so popular, as it is not robust at all in comparison to Facebook. In this scenario, you, as recent law graduate, or late law student, have the advantage. You know how to use all of this stuff, and feel comfortable doing it. Now your task is to turn the fun into a business endeavor that can help you to get a job, not a social endeavor that can hurt your chances of getting a job. You have, in the modern world, unprecedented, and easy, access to those masters of the legal realm that you could never have gotten to before. Become part of the conversation, broadcast your questions, but also your ideas, thoughts and interesting points. Market yourself for reputation in support of your job search, or market your reputation in the advancing of the cause of your new law firm. If you’re marketing your firm, or yourself, as a solo, be careful to stay within the strictures of the Massachusetts Rules of Professional Conduct, which are extrapolated for new media. But, don’t be overfearful: jump into the cultural lag-breach, and make a name for yourself.
Check out a few of these law students/new lawyers, who have already done so: the Twitter monster known as Rex7; social media maven Leora Maccabee; the LinkedIn Lawyer, David Barrett; and, king of all media, Gabriel Cheong.
Work Pro Bono. You’ve always talked about working pro bono, knowing it’s a good thing to do. And, if you’re not working now, well, now’s the time to do it. You likely won’t get paid, and, yes, it is increasingly difficult to find pro bono volunteer positions in such a fierce job market, so it may be tough to land a gig; but, keep pushing, and don’t be afraid to cobble a couple of opportunities together, to create a volunteering segment of your resume. It’s always better to do something, even something for free, than to do nothing. Potential employers favor industriousness, especially if that industrious is exercised within the realm of the field you intend to enter. And, if you have immense trouble finding a paying position to supplement your pro bono efforts, think outside the legal field. I don’t care what anybody says, over-excessive pride is not a good thing in this status quo. If you have to get a job at Stoppie’s, work at Stoppie’s. It’s not the end of the world. You’ll only be as embarrassed as you feel. And, there are plenty of good people who work hourly wage jobs; and, remarkably, I know, they’re good people despite the fact that that they aren’t lawyers. You see some sucky jobs moving up the ladder, and you have to put in your time sometimes. That’s just the way it is. Everybody goes through it. Don’t let your preconceived notions and hubris get in the way of your ultimate success. Mark Twain was penniless many times over; Ulysses S. Grant was classed a degenerate drunkard; Abraham Lincoln and Harry Truman were, at times, viewed as failed, or failing, politicians.
Raise the Bar for Small Firms. So, you can’t get that job at a large firm. You’re probably better off, frankly. Oftentimes, the large firm lifestyle is a glorified version of wage slave. Sure, you’ll be paid well (although those big salaries are definitely going to experience a "market correction", in the legal sense, and very soon), but what does money mean when you can’t enjoy any of it? You’ve been paid handsomely to sit at a desk while your life departs from you at breakneck speed. Great. That’s not my style. Now, some people can apparently make the large firm gig work; but, it takes a specialized personality: one that absolutely and unequivocally loves the law. And, there will be sacrifices, and serious ones, regardless of how well you turn the script. One potential positive stemming from this current economic disaster is that there is likely to be a trickle-down effect: wherein the best and better candidates take “lesser” positions than they otherwise would have, in a better economy. (Not every better candidate is taking Ropes and Gray money to work pro bono.) This may be your unique opportunity to become a more vibrant and integral contributor to a smaller firm than you would have ever had the chance to be before. Your voice is more likely to heard (and social media and marketing may be your “in” to responsibility, as most smaller firms will ask for your heavy hand in marketing) now, more than ever. Faster track yourself; look at the small(er) firm option.
Or, Start Your Own Firm. Starting your own law firm is a serious endeavor; but, if you think well about it, and determine that it is your course, it is certainly not impossible to make a go of it, if you are willing to hustle. Hell, that’s why we’re (LOMAP’s) here: to aid in the process of discovering whether it is your thing, what you want to do, and, if so, how to go about it. Younger lawyers are more willing to try and apply new things, and this can be an advantage. Technology, and the efficiency it brings, can grant you massive time savings over your letter-writing competitors. The application of alternative billing philosophies can give you a marketplace edge. An aggressive nature and deep-felt work ethic applied at the outset of your practice can help to make your reputation for years to come. The most difficult aspect of starting a firm from scratch is in the development of a client base. Of course, on the other hand, it is easier and cheaper to market yourself now than ever before, when you use social media marketing, and other new technology, to promote yourself, and your firm. Most disadvantages can be turned to potential advantages with a little creative thinking and hard work, unless you’re Eric Gagne on the 2007 Red Sox. That’s just an irredeemable situation there. (Don’t buy these.) In any event, starting a law firm, and gestating a successful law firm, is often what you make it. Of course, this is not to say that you should leave Grandpa entirely in the dust, trailing you in his Rascal. That is, because, finding a mentor to lead you through the steps for creating and for maintaining the successful law firm, and to run questions by, can be essential . . . you just don’t have to listen to everything you’re told.
Perhaps some of your butterflies have now flown, in your consideration that you may not end up in the breadline after all. (And, in all honesty, with the institution and entrenchment of New Deal and New Deal-style social programs, it is very difficult to become abandoned by modern society, unless you fall on the wrong side of the unofficial war on drugs.) Sure, things are difficult, but not impossible. You should be proud of your achieving your juris doctor and bar passage, as you make those steps. Just make sure that you recognize, that your hard work is far from over: it is only just beginning.
. . .
Alright now, while all the grandfathers and grandmothers are trailing us, let’s talk seriously. I figure I’ve got about a decade left of remaining somewhat cool and relevant, the end of which time will likely coincide with the falling out of the greater part of my head (not ear-cruel fate!!!) hair. (For those of you who have seen me this past week, this process has been abetted by a razor clip mistake that has resulted in a strip of my hair becoming missing.)
So, I discovered a new musician the other day, courtesy of my 17-year-old sister-in-law, Sarah, who, in return for my finding some sweet old school jams, like James Taylor’s “Nothing Like a Hundred Miles” (that’s right, you won’t find that on YouTube), keeps me up to date on new artists through the use of the iTrip on long car rides. (I swear to God, without Sarah and my wife Jessica, my music knowledge would have ended at roughly 1993, with a gaping blackhole appearing thereafter.) This is how I first learned of Wyclef Jean’s “Sweetest Girl”, and so verily impressed my co-workers.
So: Who’s the latest, you ask? So, there’s this dude named Adam Young, who has formed a one man band, initially starting in his parents’ basement, because he is an insomniac, and apparently had nothing better to do. Tell me about it. Anyway, I thought it was trippy because he sounds JUST LIKE the guy who is the lead singer for Death Cab for Cutie (Benjamin Gibbard); anyway, I like Death Cab, so I liked the sound to begin with. But, as I’ve listened to more tracks, I started to like Owl City in its own right. People are calling this eletronica, and, yeah, it looks like this dude strictly uses a synthesizer, but this is far closer to straight pop than to electronica (and, we all, by now, know of my genetic addiction to bubblegum pop); but, I would never tell you to take my final word for it. Check out some of these songs, and I think you’ll be impressed: “Vanilla Twilight”, “Fireflies”, “Hello Seattle” and “Hot Air Balloon”, the last of which kind of sounds to me like a combination of Death Cab, POTUSA and Nena. Another good track is “The Saltwater Room”, which Mr. Young performs with Breanne Duren, another MySpace-generated singer, who also appears (in the role of Ronnie Spector) on Jamestown Story’s remake of Eddie Money’s “Take Me Home Tonight”, which sucks, by the way, in comparison to the original version. That’s right, I said it.
(By the way, there’s absolutely no way Eddie Money is really playing that sax. Maybe my musical knowledge actually stops at 1986. Damn, Wasn’t that the year Genesis hit with “Invisible Touch” . . .)
Of course, the sky is not cloudless. Anyone who says that the legal profession is not presently one in flux, and featuring large amounts of holes and its share of disjunctions, does not have his or her eyes open to the reality of the situation. Problems like: For one, most lawyers don’t make near as much as people think they do, including you. Oh, and then there’s your student loans. Don’t forget those. For another, there is the entrenched billable hours problem: the foisting of a twentieth century idea of charging upon the twenty-first century minds of your savvy clients. Oh, and everybody passes the bar now, too, which means it’s harder than ever to get a job, with all that mass of competition out there.
You have a stomachache yet? I do. And, I’ve even been out for a little while now.
But, it can’t be that bad, right? As bad as everyone says it is, right? Well, it’s pretty bad. The economy sucks for everybody right now. But, this is not to say that there is no hope. I believe that, despite the dragging of the general economy, and despite the dragging along of the legal profession, that unique opportunities are now being presented to diligent law students turning attorneys. And, I intend below to present selections tending to four categories. I’m not attempting a magic, fix-all elixir here (nobody has that), but what I am saying is that, for those willing to hustle, a passable existence can still be scratched out while you wait out the improvement of the general economy in your foxhole of some kind of security. As you consider that, that the creation of a reputation is not a one day, or a one year, process, consider also that this too shall pass, as all things will, and do. You must not only keep in mind keeping yourself afloat for now, but you must also determine how what are you able to do, especially in light of the circumstances of today, will begin to look five, ten, twenty years down the road.
Engage in Social Media. You know, just because you don’t have a ton of experience doesn’t mean that you can’t engage in the discussion. A learning experience on social media sites can become the seedlings for your own growth of reputation in a field. There is still a cultural disconnect with respect to the use of social media and new technology as between older generations and younger generations: older generations, who’ve never had Facebook, think Twitter is, like, the most awesome thing ever, and is a great business tool, to boot; younger generations have been using social media for quite some time, and began that use for strictly social purposes, and tend to wonder why Twitter is so popular, as it is not robust at all in comparison to Facebook. In this scenario, you, as recent law graduate, or late law student, have the advantage. You know how to use all of this stuff, and feel comfortable doing it. Now your task is to turn the fun into a business endeavor that can help you to get a job, not a social endeavor that can hurt your chances of getting a job. You have, in the modern world, unprecedented, and easy, access to those masters of the legal realm that you could never have gotten to before. Become part of the conversation, broadcast your questions, but also your ideas, thoughts and interesting points. Market yourself for reputation in support of your job search, or market your reputation in the advancing of the cause of your new law firm. If you’re marketing your firm, or yourself, as a solo, be careful to stay within the strictures of the Massachusetts Rules of Professional Conduct, which are extrapolated for new media. But, don’t be overfearful: jump into the cultural lag-breach, and make a name for yourself.
Check out a few of these law students/new lawyers, who have already done so: the Twitter monster known as Rex7; social media maven Leora Maccabee; the LinkedIn Lawyer, David Barrett; and, king of all media, Gabriel Cheong.
Work Pro Bono. You’ve always talked about working pro bono, knowing it’s a good thing to do. And, if you’re not working now, well, now’s the time to do it. You likely won’t get paid, and, yes, it is increasingly difficult to find pro bono volunteer positions in such a fierce job market, so it may be tough to land a gig; but, keep pushing, and don’t be afraid to cobble a couple of opportunities together, to create a volunteering segment of your resume. It’s always better to do something, even something for free, than to do nothing. Potential employers favor industriousness, especially if that industrious is exercised within the realm of the field you intend to enter. And, if you have immense trouble finding a paying position to supplement your pro bono efforts, think outside the legal field. I don’t care what anybody says, over-excessive pride is not a good thing in this status quo. If you have to get a job at Stoppie’s, work at Stoppie’s. It’s not the end of the world. You’ll only be as embarrassed as you feel. And, there are plenty of good people who work hourly wage jobs; and, remarkably, I know, they’re good people despite the fact that that they aren’t lawyers. You see some sucky jobs moving up the ladder, and you have to put in your time sometimes. That’s just the way it is. Everybody goes through it. Don’t let your preconceived notions and hubris get in the way of your ultimate success. Mark Twain was penniless many times over; Ulysses S. Grant was classed a degenerate drunkard; Abraham Lincoln and Harry Truman were, at times, viewed as failed, or failing, politicians.
Raise the Bar for Small Firms. So, you can’t get that job at a large firm. You’re probably better off, frankly. Oftentimes, the large firm lifestyle is a glorified version of wage slave. Sure, you’ll be paid well (although those big salaries are definitely going to experience a "market correction", in the legal sense, and very soon), but what does money mean when you can’t enjoy any of it? You’ve been paid handsomely to sit at a desk while your life departs from you at breakneck speed. Great. That’s not my style. Now, some people can apparently make the large firm gig work; but, it takes a specialized personality: one that absolutely and unequivocally loves the law. And, there will be sacrifices, and serious ones, regardless of how well you turn the script. One potential positive stemming from this current economic disaster is that there is likely to be a trickle-down effect: wherein the best and better candidates take “lesser” positions than they otherwise would have, in a better economy. (Not every better candidate is taking Ropes and Gray money to work pro bono.) This may be your unique opportunity to become a more vibrant and integral contributor to a smaller firm than you would have ever had the chance to be before. Your voice is more likely to heard (and social media and marketing may be your “in” to responsibility, as most smaller firms will ask for your heavy hand in marketing) now, more than ever. Faster track yourself; look at the small(er) firm option.
Or, Start Your Own Firm. Starting your own law firm is a serious endeavor; but, if you think well about it, and determine that it is your course, it is certainly not impossible to make a go of it, if you are willing to hustle. Hell, that’s why we’re (LOMAP’s) here: to aid in the process of discovering whether it is your thing, what you want to do, and, if so, how to go about it. Younger lawyers are more willing to try and apply new things, and this can be an advantage. Technology, and the efficiency it brings, can grant you massive time savings over your letter-writing competitors. The application of alternative billing philosophies can give you a marketplace edge. An aggressive nature and deep-felt work ethic applied at the outset of your practice can help to make your reputation for years to come. The most difficult aspect of starting a firm from scratch is in the development of a client base. Of course, on the other hand, it is easier and cheaper to market yourself now than ever before, when you use social media marketing, and other new technology, to promote yourself, and your firm. Most disadvantages can be turned to potential advantages with a little creative thinking and hard work, unless you’re Eric Gagne on the 2007 Red Sox. That’s just an irredeemable situation there. (Don’t buy these.) In any event, starting a law firm, and gestating a successful law firm, is often what you make it. Of course, this is not to say that you should leave Grandpa entirely in the dust, trailing you in his Rascal. That is, because, finding a mentor to lead you through the steps for creating and for maintaining the successful law firm, and to run questions by, can be essential . . . you just don’t have to listen to everything you’re told.
Perhaps some of your butterflies have now flown, in your consideration that you may not end up in the breadline after all. (And, in all honesty, with the institution and entrenchment of New Deal and New Deal-style social programs, it is very difficult to become abandoned by modern society, unless you fall on the wrong side of the unofficial war on drugs.) Sure, things are difficult, but not impossible. You should be proud of your achieving your juris doctor and bar passage, as you make those steps. Just make sure that you recognize, that your hard work is far from over: it is only just beginning.
. . .
Alright now, while all the grandfathers and grandmothers are trailing us, let’s talk seriously. I figure I’ve got about a decade left of remaining somewhat cool and relevant, the end of which time will likely coincide with the falling out of the greater part of my head (not ear-cruel fate!!!) hair. (For those of you who have seen me this past week, this process has been abetted by a razor clip mistake that has resulted in a strip of my hair becoming missing.)
So, I discovered a new musician the other day, courtesy of my 17-year-old sister-in-law, Sarah, who, in return for my finding some sweet old school jams, like James Taylor’s “Nothing Like a Hundred Miles” (that’s right, you won’t find that on YouTube), keeps me up to date on new artists through the use of the iTrip on long car rides. (I swear to God, without Sarah and my wife Jessica, my music knowledge would have ended at roughly 1993, with a gaping blackhole appearing thereafter.) This is how I first learned of Wyclef Jean’s “Sweetest Girl”, and so verily impressed my co-workers.
So: Who’s the latest, you ask? So, there’s this dude named Adam Young, who has formed a one man band, initially starting in his parents’ basement, because he is an insomniac, and apparently had nothing better to do. Tell me about it. Anyway, I thought it was trippy because he sounds JUST LIKE the guy who is the lead singer for Death Cab for Cutie (Benjamin Gibbard); anyway, I like Death Cab, so I liked the sound to begin with. But, as I’ve listened to more tracks, I started to like Owl City in its own right. People are calling this eletronica, and, yeah, it looks like this dude strictly uses a synthesizer, but this is far closer to straight pop than to electronica (and, we all, by now, know of my genetic addiction to bubblegum pop); but, I would never tell you to take my final word for it. Check out some of these songs, and I think you’ll be impressed: “Vanilla Twilight”, “Fireflies”, “Hello Seattle” and “Hot Air Balloon”, the last of which kind of sounds to me like a combination of Death Cab, POTUSA and Nena. Another good track is “The Saltwater Room”, which Mr. Young performs with Breanne Duren, another MySpace-generated singer, who also appears (in the role of Ronnie Spector) on Jamestown Story’s remake of Eddie Money’s “Take Me Home Tonight”, which sucks, by the way, in comparison to the original version. That’s right, I said it.
(By the way, there’s absolutely no way Eddie Money is really playing that sax. Maybe my musical knowledge actually stops at 1986. Damn, Wasn’t that the year Genesis hit with “Invisible Touch” . . .)
Thursday, September 10, 2009
Facing Financial Reality: Tools to Create a Personal Budget
Clearly one of the most stressful issues that attorneys face day-to-day is financial uncertainty. A large percentage of attorneys operate in solo and small firms which, like many American families, operate from paycheck to paycheck. The only difference is that the paychecks come from clients who are often slow in paying. Therefore, cash flow is inconsistent and stress rises as mortgage payments come due. Rather than using this as a motivator for financial planning, I find many attorneys simply throw up their arms saying that financial planning is impossible. In truth, financial planning is not impossible; it is simply more difficult where the income stream is inconsistent. To meet this challenge and reduce the stress attorneys must recognize that financial planning using a real budget is of critical importance.
A good starting point for any attorney is to develop a personal home budget based upon actual income and expenses. This personal budget will provide a key tool for evaluating both your bottom line income needs, and also will help you identify excess spending. A key to developing a successful budget is accurate information that reflects the economic reality based on a careful analysis of historic spending and income. This is critical because we all tend to underestimate our spending and overestimate our income. Here are several tools for creating a realistic budget.
A first option is to use Microsoft Excel or other spreadsheet program which all have free templates which can be used to create a personal budget. For example, Microsoft personal budget templates may be found at the Microsoft site. To populate the critical information you will do an analysis of your bank account, bills, credit cards, etc., to determine your spending and income for the last six months.
A second option is to purchase personal finance software like Quicken or Moneydance. These are relatively cheap (less than $40.00), support on-line banking and bill payment, and help manage your budget. These programs require less input then a spreadsheet template, but will require some input and analysis by you.
The third option is sign up for free internet based software vendors such as mint.com, intuit.com (free Quicken on-line), or yodlee.com, that provide personal budget programs. These sites will do a complete analysis of your spending and income, help you set spending and saving goals, track how you are doing, and help find ways to save more money. For example, mint.com will suggest where you can improve on interest rates on loans and credit cards, help you prepare for tax season, and will provide helpful advice on how to achieve your goals. A word of caution: to effectively use the on-line service providers you will need to provide them some access to your financial information so look at technology reviews, user agreements, and exercise caution about the security used by the site to ensure that site is keeping your information as safe as possible.
Once you have gained control of your household budget you can easily implement the same financial controls in your firm. There are excellent programs that will allow you to get the same financial control of your law office as you will have in your personal life. These software programs will track and reconcile your operating accounts, IOLTA and trust accounts, and provide real time financial reports to determine cash flow, budget projections, and profit/loss statements. Contact Mass.LOMAP to get a list of available programs. You can also set up an appointment to use our technology center and demo a number of programs.
A good starting point for any attorney is to develop a personal home budget based upon actual income and expenses. This personal budget will provide a key tool for evaluating both your bottom line income needs, and also will help you identify excess spending. A key to developing a successful budget is accurate information that reflects the economic reality based on a careful analysis of historic spending and income. This is critical because we all tend to underestimate our spending and overestimate our income. Here are several tools for creating a realistic budget.
A first option is to use Microsoft Excel or other spreadsheet program which all have free templates which can be used to create a personal budget. For example, Microsoft personal budget templates may be found at the Microsoft site. To populate the critical information you will do an analysis of your bank account, bills, credit cards, etc., to determine your spending and income for the last six months.
A second option is to purchase personal finance software like Quicken or Moneydance. These are relatively cheap (less than $40.00), support on-line banking and bill payment, and help manage your budget. These programs require less input then a spreadsheet template, but will require some input and analysis by you.
The third option is sign up for free internet based software vendors such as mint.com, intuit.com (free Quicken on-line), or yodlee.com, that provide personal budget programs. These sites will do a complete analysis of your spending and income, help you set spending and saving goals, track how you are doing, and help find ways to save more money. For example, mint.com will suggest where you can improve on interest rates on loans and credit cards, help you prepare for tax season, and will provide helpful advice on how to achieve your goals. A word of caution: to effectively use the on-line service providers you will need to provide them some access to your financial information so look at technology reviews, user agreements, and exercise caution about the security used by the site to ensure that site is keeping your information as safe as possible.
Once you have gained control of your household budget you can easily implement the same financial controls in your firm. There are excellent programs that will allow you to get the same financial control of your law office as you will have in your personal life. These software programs will track and reconcile your operating accounts, IOLTA and trust accounts, and provide real time financial reports to determine cash flow, budget projections, and profit/loss statements. Contact Mass.LOMAP to get a list of available programs. You can also set up an appointment to use our technology center and demo a number of programs.
The KGB is After Us: Think in the Black, Not in the Red
I enjoy Jay Shepherd’s blog postings at both Gruntled Employees and at The Client Revolution. I think that his posts are pithy, witty and urbane. It’s his method, though, that I find to be the most interesting aspect of his production. I often wonder: What does Jay do to find his object lessons, his apt, everyday examples that help explain more complex legal and business concepts? Is he sitting in the barbershop getting a fresh ‘do when old Ralph says something that moves him to construct a blog? Is he watching Top Chef on Bravo when Tom Colicchio dresses some contestant down for a mistake that is like to one that big law might make? Is he rolling down the highway with the moon roof opened listening to Willie Nelson when the way the sun is striking upon the passenger’s side visor moves him toward writing? No, that’s crazy. Jay Shepherd wouldn’t listen to Willie Nelson. I see him as more of a Son Volt guy.
But, now I know. I had a Jay Shepherd moment yesterday, at the gym, on the treadclimber, watching the Red Sox (on commercial break).
(Explanatory: Don’t worry, Jay, I’m not stealing your schtick: this is a one-time only thing for me. Besides, I like to write blog posts that are about 9,000 words longer than this one will be. Blovels, macroblogging: may be outside the client revolution, ya dig.)
. . .
Strangely absent from the general web, but ubiquitous lately, during the commercial breaks from Red Sox telecasts, has been a commercial for the paid-text-for-answers provider, KGB, the "Knowledge Generation Bureau", which features the protagonists conversing over baseball signs respecting the last Red Sox no-hitter: Jon Lester; May 19, 2008, in case you were wondering--here’s an extremely illegal reproduction.
But lo, here is the exact same commercial, with the exact same protagonists, only this one features the Yankee version of something of the same discussion respecting the last Yankees perfect game: David Cone; July 18, 1999.
So what? You ask. So what? Well, what it is is that this is a fairly ingenious piece of marketing. First, it’s a fun concept; but, that’s nothing earth-shattering. People are funny. Second, though, is that the characters are not speaking to each other: they are using baseball signs to communicate, and what they are saying is expressed in subtitles. This means that the subtitles can answer for the same general question (last no-hitter/perfect game by home team) in any American baseball city, assuming that team’s city has a no-hitter or perfect game to its credit. The only spoken word segment represents the punchline to the joke (“Your fly is down.”), which is generic, and could be generally applied for an ad in any city. KGB, then, has produced one ad, which can be easily repurposed for use in any city in America with a professional baseball team. In fact, the ad is so generic that any sports-related, or other, subject matter, for that matter, could be covered, as long as it comes to meet the extended punchline. KGB was able to produce a winning advertisement that could be easily repurposed, and that could still appear unique to various viewers. Plus, they saved a bunch of money filming one ad, rather than thirty or so.
If you can think outside the batter’s box, and can apply this same sort of cost-effective, but effective, application to your advertising, you’ll be hitting a home run.
(Postscript: Of course, the one question I can’t answer is why on Earth anyone would use a service like KGB, when there is already a free alternative out there. IT’S CALLED GOOGLE.)
But, now I know. I had a Jay Shepherd moment yesterday, at the gym, on the treadclimber, watching the Red Sox (on commercial break).
(Explanatory: Don’t worry, Jay, I’m not stealing your schtick: this is a one-time only thing for me. Besides, I like to write blog posts that are about 9,000 words longer than this one will be. Blovels, macroblogging: may be outside the client revolution, ya dig.)
. . .
Strangely absent from the general web, but ubiquitous lately, during the commercial breaks from Red Sox telecasts, has been a commercial for the paid-text-for-answers provider, KGB, the "Knowledge Generation Bureau", which features the protagonists conversing over baseball signs respecting the last Red Sox no-hitter: Jon Lester; May 19, 2008, in case you were wondering--here’s an extremely illegal reproduction.
But lo, here is the exact same commercial, with the exact same protagonists, only this one features the Yankee version of something of the same discussion respecting the last Yankees perfect game: David Cone; July 18, 1999.
So what? You ask. So what? Well, what it is is that this is a fairly ingenious piece of marketing. First, it’s a fun concept; but, that’s nothing earth-shattering. People are funny. Second, though, is that the characters are not speaking to each other: they are using baseball signs to communicate, and what they are saying is expressed in subtitles. This means that the subtitles can answer for the same general question (last no-hitter/perfect game by home team) in any American baseball city, assuming that team’s city has a no-hitter or perfect game to its credit. The only spoken word segment represents the punchline to the joke (“Your fly is down.”), which is generic, and could be generally applied for an ad in any city. KGB, then, has produced one ad, which can be easily repurposed for use in any city in America with a professional baseball team. In fact, the ad is so generic that any sports-related, or other, subject matter, for that matter, could be covered, as long as it comes to meet the extended punchline. KGB was able to produce a winning advertisement that could be easily repurposed, and that could still appear unique to various viewers. Plus, they saved a bunch of money filming one ad, rather than thirty or so.
If you can think outside the batter’s box, and can apply this same sort of cost-effective, but effective, application to your advertising, you’ll be hitting a home run.
(Postscript: Of course, the one question I can’t answer is why on Earth anyone would use a service like KGB, when there is already a free alternative out there. IT’S CALLED GOOGLE.)
Thursday, September 3, 2009
Risk Reward: Effective Date for Massachusetts Data Privacy Law Moved Out (Again); Regulations Revised
Perhaps not surprisingly (conventional wisdom having been very sage, if hopeful, in this particular case), the effective date for the Massachusetts data privacy law has once again been pushed out (the fourth such extension is this; representing a total push of 15 months out of time): from January 1, 2010 to March 1, 2010. (It’s okay to jump up and down now.)
But, wait . . . There’s more. In once again pushing back the effective date for the application of the Massachusetts General Law Chapter 93H omnibus security breach/data privacy/identity theft regime, the Office of Consumer Affairs and Business Regulation has also extensively revised its identity theft regulations, at 201 CMR 17.01, et seq. (You can stop jumping up and down now.)
The announcement of these changes, made via an August 17 press release by the OCABR, takes the form of four official state documents, including said press release, as well as the revised regulations (an available redlined version being particularly helpful), a new set of FAQs on the changes made to the CMRs and a notice of public hearing concerning the revised regulations.
Each of these various documents offer important guidance, even though the regulations represent the only one of the documents having the force of law. So, then . . . Let’s Review:
(That’s right, I am going to attempt a straight review, without much of my rhetorical flourish . . . much.)
The 8/17 Press Release. The press release announces the new effective date (3/1/10), for the revised regulations, as well as the date (9/22/09) for a public hearing on the revised regulations. More broadly, the release seeks to define the new tenor of the law, including the notion of its enforcement. According to the release, the changes to the regulations seek to more favorably balance the interests of consumers with those of the small businesses that must comply with the law. The revised regulations are said to represent a new, risk-based approach, that will provide businesses more flexibility in creating unique WISPs, that will more accurately reflect the realities of their particular business situations, the regulations then becoming “risk-based in implementation, not just enforcement”. The new regulations also represent an acknowledgment that technological feasibility (read (really): how-much-a-business-can-afford-to-pay-for-certain-technology) plays a part in what businesses, especially small businesses, can do to comply with the law. The regulations, then, have become technology-neutral, with a new focus on feasibility. Overall, the regulations are said to now be more consistent with federal law.
The Revised Regulations. The redlined version of the regulations is the best place to get a look at what has been struck, what has stuck and what’s new. Now, these regulations are not set in stone (neither was the last set, of course), especially as changes may be in the offing following the September 22 public hearing; but, this is the most recent edition we have to work with, and is certainly the first look into the government’s state of mind respecting the purposes of these changes.
17.01 In running down the regulation, the first thing you’ll notice is that there has been a subtle shift made to the purposes of the regulation. One purpose is no longer to establish minimum standards for compliance (plus the statutory purposes adopted). Although the regulations do still establish minimum standards for compliance, it is no longer one of the purposes of the regulations. Theoretically, this provides businesses a bit more freedom, and flexibility, in the designing of their information security protocols. The new purposes same as the old purposes, then, are those adopted from the statutory language of chapter 93H, but more directly. The former regulation had changed the statutory language respecting protection against unauthorized access or use that “may result in substantial harm or inconvenience to any consumer” to protection against unauthorized access or use that “creates a substantial risk of identity theft or fraud against . . . residents.” The statutory language has now been adopted directly, so creating, indirectly, a more difficult charge for businesses affected, which, under the terms of the statutory language, have more to look after. The OCABR giveth, and the OCABR taketh away.
The OCABR has also removed the “store/maintain” category of information holders; the “own/license” category remains. Given that no one really had any idea what these categories meant before, or what the difference between them was, there is really no great change, I suppose. And, this point underlines one of the main issues with the prior regulation: that none of these four terms, neither the two groups of terms, were ever defined.
17.02 Thoughtfully, “own/license” has now been defined, albeit so broadly that anyone having “access to [protected] personal information” is an owner/licensor. Or, not so thoughtfully. This is patently ridiculous, of course. Practically, “own/license” can have no meaning when defined so broadly. So, suffice is to say that “anyone” and “everyone” who has access to protected personal information must care for it after the terms of the company WISP. And, certainly, this is the way that smart businesses have approached this issue from the very beginning: that an appropriate WISP must be created and diligently enforced, as applicable to every person employee.
The existing definition for “encrypted” has been tweaked, in keeping with the new approach that the regulation be technology neutral. The requirement for the use of an algorithmic process for encrypting has been removed; the only remaining requirement is that a confidential process or key is required to break whatever encryption method is used, essentially freeing the encryption type choice.
Helpfully, a definition for “service provider” has been added. The “service provider” is a person, broadly defined, who is permitted access to protected personal information by another person, broadly defined, subject to the Massachusetts data privacy law, for the purpose of providing direct provision of services to that another person, broadly defined, subject to the Massachusetts data privacy law. Someone, then, or some company, to whom you permit access to your stored information, so that they may perform a service for you, is a service provider. Fair enough; and, the fact of your granting them permission separates them out from those breachers who access your stored information without permission. Service providers are more like vampires, invited into your home. But, the real question respecting service providers has never really been who they are, or what they, generally, do. The point has always been the determination of what, exactly, businesses must do to vet and/or monitor their service providers. The revised regulations come closer to answering that question. And, we get closer to covering that answer.
17.03 Most of the red ink in the revising of these regulations has been spilt for changes made to this section. The changes appear, then, at first blush, sweeping. But, only one section of changes really represents a dramatic maneuver, and not the one you’d think. The requirements for a WISP have become less stringent, or, at least, the intention was to make them less stringent. The change to the WISP requirements more directly implicates what I have called the “totality of (most of) the circumstances” test for determining what a business is truly capable of pulling off with respect to the protection of personal information that it stores; thus, a WISP must now contain “administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.” And, there are your four circumstances for the consideration of whether or not your WISP is compliant. Of course, those considerations were present in the prior version of the regulations. Practically speaking, then, the only real change here is that the command that the WISP shall be “reasonably consistent with industry standards” has been removed. Aside from that, though, this looks awfully similar to the prior version. And, in the end, it seems that whatever leniency ends up being applied will be supplied via court decisions, with reasoning based on much the same language that has appeared here before.
Following down the page, there is a smart grammatical change at 2(c) as well as the deletion of the requirement to immediately terminate terminated employees’ access to protected records at 2(e). But, beginning at the new section 2(f), is where the largest changes occur. Although section 2(f) contains the term “oversee”, which may end up being an onerous burden for small business, the further descriptive subparts imply that that should not be the case. Now, reasonable steps are required to “select and retain”--inartfully applying a continuing obligation to continually vet/monitor service providers--service providers who can maintain “appropriate security measures” to safeguard protected personal information. Appropriate security measures are those that are consistent with the regulations and with federal requirements. This language now closely tracks the new formulation for the creation and maintenance of a WISP, where the appropriateness of measures likely reflects the sort of business engaged in, and the resources available to that sort of business. The second subpart requires that businesses bind service providers by contract to the implementation and maintenance of appropriate security measures for the protection of personal information. This appears a much more useful directive than the prior, general admonition for the vetting of service providers. Now, there are two steps: (1) verify capability of service provider to protect personal information; (2) sign service provider to contract memorializing their ability and willingness to meet legal requirements for protection of personal information--which seems to reduce or eliminate the need to monitor, breach of service = breach of contract, and a remedy for business and consumer affected, right . . . Now, although there is still little guidance as to what those “reasonable steps” for verification might be, there is now a contract backup, to determine the agreement entered into. Not that I would be disposing of my records respecting my questions to and answers from a service provider representing the reasonable steps I have taken to vet my service providers. There is also, note, an inducement here to engage service providers before the new effective date of the regulations, since contracts entered into before March 1 will be deemed to be in compliance with the regulations, even without the explicit provision for the maintenance of protective security measures. Here’s hoping that service providers will add such terms to their existing contracts, thereby removing the burden from consumers/business owners; but, why they would want to so bind themselves, I do not know, and likely would not do, unless I had to, or if it were easy for me to comply, if I were in their positions.
The revised regulations also feature the removal of other, prior mandates. The former section 2(g), requiring the limiting of the amount of information kept, for how long and for whose eyes, has been eliminated. Likewise, the former section 2(h), requiring the pinpointing of electronic and paper records containing protected personal information and the storage units for same, if all records were not protected under the terms of a WISP, has been dumped. Finally, the requirement to provide a written procedure for the accessing of paper records, as it appeared in the former section 2(i), has been removed.
17.04 Only two changes are made to this section of the regulations, which section covers much of the discrete technology-based requirements. The over-arching revision adds the language “to the extent technically feasible” in describing the application of elements of computer system security to the WISP and to the practice. This is consistent, necessarily emanating from, really, the revisions made to 17.01, which point to a looser interpretation of compliance, one more directly based on the needs and limitations of particular companies. The revision means that every subpart here is now read differently, in light of the particular circumstances of individual businesses. The only other change in this part is the removal of the “to the extent technically feasible” language formerly attached to the (3) encryption subpart, that removal being required to check a created redundancy, since the whole part is now governed by the question of whether what is to be done is or is not technically feasible.
17.05 There is a removal of the store/maintain classification, as there has now been throughout. The effective date of the regulations is moved to March 1, 2010, from January 1, 2010.
The New FAQs. The added Frequently Asked Questions primer may, in fact, have even more subtle goodies in it than the revised regulations. After you’ve read through the revised regulations, these FAQs’ll sort of appear like an Easter egg found about Memorial Day. Take that as you will.
Some of the notions for your attention (that is, if you got the notion):
The revised regulations, conforming to the new risk-based approach to information security, is consistent with federal law, especially the FTC’s Safeguards Rule. Hint: Check the safeguards rule. Looks as though this is a direction for finding out what the precedent might be, before the precedent becomes handed down. The Safeguards Rule also contains third party vendor provisions, which are the model for the third party vendor provisions in the revised CMR regulations.
There is more specific, albeit, still nearly wide-open, “guidance” with respect to the encryption of PDAs: Not all portable devices have to be encrypted. (Makes sense. Not all portable devices will have protected personal information stored on them anyway.) Since there is not a generally accepted encryption method, just do what is “technically feasible” (there’s that term again--but what does it mean?), and if you can’t encrypt your PDA, safeguard the protected personal information on it to the extent possible. (Meaning: If you can’t encrypt, manage the risk. That’s as catchy as “If the glove don’t fit, you must acquit”, no?) This segment ends by stating, rather matter-of-factly, that encryption technology is generally available for laptops. (i.e.--If you have protected personal information on your laptop, encrypt the device.)
The FAQs also provide some specific guidance on the protection of personal information on backup tapes, which has been a cloudy question to this point. There are several interesting points here: Going forward (so starting on March 1, 2010, I would imagine) backup tapes must be encrypted. However, if you are moving old backup tapes from storage, you must encrypt those tapes . . . if it’s technically feasible, of course. If it’s not technically feasible, you should take steps to protect the information contained on the backup tapes (so the backup tapes). The FAQs provide the oddly extreme example of using an armored vehicle and guards for the transfer of a “large” amount of sensitive personal information. Certainly an option for large companies; but, for smaller companies (and there is no further definition of what a “large” amount might be), likely not probable. What is this, Thailand?
A definition of “technically feasible” (= technologically feasible, what with all the context clues) is presented in the FAQs. Why the definition is presented in the FAQs and not within the regulation is sort of beyond me, but it is what it is, I suppose. The definition of “technically feasible”, then, as it appears, is really just a question of reasonableness, that old-timey standard.
Also welcome is some guidance specific to the encryption of email containing personal information, as this has been one or the major areas of concern for those seeking to comply with the regulations. Quite obviously now, under this new regime, you need only encrypt if it is technically feasible. If email encryption generally is not technically feasible, the best practice is not to send unencrypted personal information via email. The alternative suggestion is transfer of and communication relating to protected personal information via the establishment of an encrypted website with username and password access. Of course, that seems rather cumbersome, in some cases. For example, I’d rather just encrypt a PDF or Word document, and call the person I emailing with the password. The secure website is a good idea for collaboration, but not for simple transfer.
If you swipe credit cards and debit cards, and only use swipe technology, but do not have custody or control over the information swiped and batch out the data in accordance with the payment card industry standards, then you are not an owner or licensor of personal information, and that information is not your obligation to protect under the data privacy regime. Apparently, there are special considerations if you “have employees”; and, reference, for that scenario, is made to a prior hypothetical, in which no mention is made of debit or credit card swiping procedures.
To compensate for the removal of language in the original regulations respecting the limiting of the amount of personal information collected, the length of time it is retained for and the limitation to a legitimate purpose for collection, the question of length of retention is addressed now in the FAQs. There is no maximum amount of time that a business can hold onto protected personal information; the timing question is a business decision. However, the suggested best practice is to consider what is essentially the former mandate of the relevant deleted portion of the regulations, the former 17.03(2)(g) reiterated.
With the deletion of the former 17.03(2)(h), you no longer need to make an inventory of your records, to determine which of those records contain protected personal information . . . but you should. Despite the deletion of this section and the above-referenced section, the suggestion here is that, although, those segments of the regulation have now been removed, it is still best practice to make an inventory of your client records and information and to include within your planning for the creation of your WISP concepts concerning the purpose of your maintaining records.
How much employee training do you need to do, with respect to the Massachusetts data privacy regime? “Enough.” Oh, well, that’s helpful. Thank you.
In addition to the definition of “technically feasible”, there also appears in the FAQs another, less explicit definition, this one for “financial account”. “Financial account number” has previously been defined in the statute and remains defined in the regulation; but, a definition for “financial account” seems to be attempted here in order to provide further examples of financial accounts (some of which examples appear in the statute and still appear in the regulation), as well as to provide context for what sort of things hackers or other illegitimate persons can do when they get access to financial accounts. It strikes me as tortuous, and unhelpful, however, to define a financial account in the context of what certain persons can do to other persons once they have gained access to those other persons’ financial accounts.
Incidentally, an insurance policy number is a financial account number (important more for insurance carriers and resellers than lawyers, but still likely account information accessible and maintained by some lawyers, in certain cases), with certain conditions: IF “it grants access to a person’s finances” or IF it “results in an increase of financial burden, or a misappropriation of money, credit or other assets”. Certainly, this second option is just another definition by extrapolation, and as unhelpful to persons attempting to comply with this regulation as the above type definition; the first option--granting access to finances--is a much better definition, and measure.
The attorney-client privilege does not immunize you from compliance with the data privacy regulations--seems rather obvious, but someone must have asked.
Additionally, you must comply with the CMR even if you already comply with HIPAA. These are distinct obligations, even though there may be overlap, in certain places, and at certain points.
With respect to the general monitoring of your safeguards for your maintaining protected personal information, you should adopt a system that is “reasonably likely to reveal unauthorized access or use”. This guidance is generally consistent with the new tenor of the regulations, that businesses, especially smaller businesses, will be given more leeway in applying protocols consistent with the revised regulations and the statute. Likely obviously, standards for monitoring paper records versus electronic records should take into account the differences between those records.
The FAQs end on what is, really, a summation point: that compliance will be judged on a case-by-case basis, with the relevant totality of (most of) the circumstances (business size; business resources; amount of data stored; need for confidentiality) considered.
. . .
So, Where do we stand now? A little further away from the cliff face.
The most important change to the regulations is the leeway now provided to smaller businesses with respect to the actual implementation of technical security safeguards. The regulations are now technology neutral and grounded in the nature of a business for specific application of measures. The third party provider requirement changes are also significant; however, those are still not entirely clear as to what reasonable steps businesses must take in vetting service providers and as to whether and to what extent there is a continuing monitoring requirement, or if the new mandated contract term weds third party providers to liability. The FAQs are full of the right questions, with most of the right answers; and, some of those answers should have made it into the final version of the regulations. Overall, though, there is more bark than bite here, and the changes to the WISP requirement are not really staggering, or major. We’re getting closer, but not quite there yet. Perhaps another extension is in the offing?
Complaints? Is it all too much for you to take? Attend the public hearing relating to the changes to the regulations on September 22, 2009, and voice your disgruntlement.
(Yes, I know. Disgruntlement is not a word.)
But, wait . . . There’s more. In once again pushing back the effective date for the application of the Massachusetts General Law Chapter 93H omnibus security breach/data privacy/identity theft regime, the Office of Consumer Affairs and Business Regulation has also extensively revised its identity theft regulations, at 201 CMR 17.01, et seq. (You can stop jumping up and down now.)
The announcement of these changes, made via an August 17 press release by the OCABR, takes the form of four official state documents, including said press release, as well as the revised regulations (an available redlined version being particularly helpful), a new set of FAQs on the changes made to the CMRs and a notice of public hearing concerning the revised regulations.
Each of these various documents offer important guidance, even though the regulations represent the only one of the documents having the force of law. So, then . . . Let’s Review:
(That’s right, I am going to attempt a straight review, without much of my rhetorical flourish . . . much.)
The 8/17 Press Release. The press release announces the new effective date (3/1/10), for the revised regulations, as well as the date (9/22/09) for a public hearing on the revised regulations. More broadly, the release seeks to define the new tenor of the law, including the notion of its enforcement. According to the release, the changes to the regulations seek to more favorably balance the interests of consumers with those of the small businesses that must comply with the law. The revised regulations are said to represent a new, risk-based approach, that will provide businesses more flexibility in creating unique WISPs, that will more accurately reflect the realities of their particular business situations, the regulations then becoming “risk-based in implementation, not just enforcement”. The new regulations also represent an acknowledgment that technological feasibility (read (really): how-much-a-business-can-afford-to-pay-for-certain-technology) plays a part in what businesses, especially small businesses, can do to comply with the law. The regulations, then, have become technology-neutral, with a new focus on feasibility. Overall, the regulations are said to now be more consistent with federal law.
The Revised Regulations. The redlined version of the regulations is the best place to get a look at what has been struck, what has stuck and what’s new. Now, these regulations are not set in stone (neither was the last set, of course), especially as changes may be in the offing following the September 22 public hearing; but, this is the most recent edition we have to work with, and is certainly the first look into the government’s state of mind respecting the purposes of these changes.
17.01 In running down the regulation, the first thing you’ll notice is that there has been a subtle shift made to the purposes of the regulation. One purpose is no longer to establish minimum standards for compliance (plus the statutory purposes adopted). Although the regulations do still establish minimum standards for compliance, it is no longer one of the purposes of the regulations. Theoretically, this provides businesses a bit more freedom, and flexibility, in the designing of their information security protocols. The new purposes same as the old purposes, then, are those adopted from the statutory language of chapter 93H, but more directly. The former regulation had changed the statutory language respecting protection against unauthorized access or use that “may result in substantial harm or inconvenience to any consumer” to protection against unauthorized access or use that “creates a substantial risk of identity theft or fraud against . . . residents.” The statutory language has now been adopted directly, so creating, indirectly, a more difficult charge for businesses affected, which, under the terms of the statutory language, have more to look after. The OCABR giveth, and the OCABR taketh away.
The OCABR has also removed the “store/maintain” category of information holders; the “own/license” category remains. Given that no one really had any idea what these categories meant before, or what the difference between them was, there is really no great change, I suppose. And, this point underlines one of the main issues with the prior regulation: that none of these four terms, neither the two groups of terms, were ever defined.
17.02 Thoughtfully, “own/license” has now been defined, albeit so broadly that anyone having “access to [protected] personal information” is an owner/licensor. Or, not so thoughtfully. This is patently ridiculous, of course. Practically, “own/license” can have no meaning when defined so broadly. So, suffice is to say that “anyone” and “everyone” who has access to protected personal information must care for it after the terms of the company WISP. And, certainly, this is the way that smart businesses have approached this issue from the very beginning: that an appropriate WISP must be created and diligently enforced, as applicable to every person employee.
The existing definition for “encrypted” has been tweaked, in keeping with the new approach that the regulation be technology neutral. The requirement for the use of an algorithmic process for encrypting has been removed; the only remaining requirement is that a confidential process or key is required to break whatever encryption method is used, essentially freeing the encryption type choice.
Helpfully, a definition for “service provider” has been added. The “service provider” is a person, broadly defined, who is permitted access to protected personal information by another person, broadly defined, subject to the Massachusetts data privacy law, for the purpose of providing direct provision of services to that another person, broadly defined, subject to the Massachusetts data privacy law. Someone, then, or some company, to whom you permit access to your stored information, so that they may perform a service for you, is a service provider. Fair enough; and, the fact of your granting them permission separates them out from those breachers who access your stored information without permission. Service providers are more like vampires, invited into your home. But, the real question respecting service providers has never really been who they are, or what they, generally, do. The point has always been the determination of what, exactly, businesses must do to vet and/or monitor their service providers. The revised regulations come closer to answering that question. And, we get closer to covering that answer.
17.03 Most of the red ink in the revising of these regulations has been spilt for changes made to this section. The changes appear, then, at first blush, sweeping. But, only one section of changes really represents a dramatic maneuver, and not the one you’d think. The requirements for a WISP have become less stringent, or, at least, the intention was to make them less stringent. The change to the WISP requirements more directly implicates what I have called the “totality of (most of) the circumstances” test for determining what a business is truly capable of pulling off with respect to the protection of personal information that it stores; thus, a WISP must now contain “administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.” And, there are your four circumstances for the consideration of whether or not your WISP is compliant. Of course, those considerations were present in the prior version of the regulations. Practically speaking, then, the only real change here is that the command that the WISP shall be “reasonably consistent with industry standards” has been removed. Aside from that, though, this looks awfully similar to the prior version. And, in the end, it seems that whatever leniency ends up being applied will be supplied via court decisions, with reasoning based on much the same language that has appeared here before.
Following down the page, there is a smart grammatical change at 2(c) as well as the deletion of the requirement to immediately terminate terminated employees’ access to protected records at 2(e). But, beginning at the new section 2(f), is where the largest changes occur. Although section 2(f) contains the term “oversee”, which may end up being an onerous burden for small business, the further descriptive subparts imply that that should not be the case. Now, reasonable steps are required to “select and retain”--inartfully applying a continuing obligation to continually vet/monitor service providers--service providers who can maintain “appropriate security measures” to safeguard protected personal information. Appropriate security measures are those that are consistent with the regulations and with federal requirements. This language now closely tracks the new formulation for the creation and maintenance of a WISP, where the appropriateness of measures likely reflects the sort of business engaged in, and the resources available to that sort of business. The second subpart requires that businesses bind service providers by contract to the implementation and maintenance of appropriate security measures for the protection of personal information. This appears a much more useful directive than the prior, general admonition for the vetting of service providers. Now, there are two steps: (1) verify capability of service provider to protect personal information; (2) sign service provider to contract memorializing their ability and willingness to meet legal requirements for protection of personal information--which seems to reduce or eliminate the need to monitor, breach of service = breach of contract, and a remedy for business and consumer affected, right . . . Now, although there is still little guidance as to what those “reasonable steps” for verification might be, there is now a contract backup, to determine the agreement entered into. Not that I would be disposing of my records respecting my questions to and answers from a service provider representing the reasonable steps I have taken to vet my service providers. There is also, note, an inducement here to engage service providers before the new effective date of the regulations, since contracts entered into before March 1 will be deemed to be in compliance with the regulations, even without the explicit provision for the maintenance of protective security measures. Here’s hoping that service providers will add such terms to their existing contracts, thereby removing the burden from consumers/business owners; but, why they would want to so bind themselves, I do not know, and likely would not do, unless I had to, or if it were easy for me to comply, if I were in their positions.
The revised regulations also feature the removal of other, prior mandates. The former section 2(g), requiring the limiting of the amount of information kept, for how long and for whose eyes, has been eliminated. Likewise, the former section 2(h), requiring the pinpointing of electronic and paper records containing protected personal information and the storage units for same, if all records were not protected under the terms of a WISP, has been dumped. Finally, the requirement to provide a written procedure for the accessing of paper records, as it appeared in the former section 2(i), has been removed.
17.04 Only two changes are made to this section of the regulations, which section covers much of the discrete technology-based requirements. The over-arching revision adds the language “to the extent technically feasible” in describing the application of elements of computer system security to the WISP and to the practice. This is consistent, necessarily emanating from, really, the revisions made to 17.01, which point to a looser interpretation of compliance, one more directly based on the needs and limitations of particular companies. The revision means that every subpart here is now read differently, in light of the particular circumstances of individual businesses. The only other change in this part is the removal of the “to the extent technically feasible” language formerly attached to the (3) encryption subpart, that removal being required to check a created redundancy, since the whole part is now governed by the question of whether what is to be done is or is not technically feasible.
17.05 There is a removal of the store/maintain classification, as there has now been throughout. The effective date of the regulations is moved to March 1, 2010, from January 1, 2010.
The New FAQs. The added Frequently Asked Questions primer may, in fact, have even more subtle goodies in it than the revised regulations. After you’ve read through the revised regulations, these FAQs’ll sort of appear like an Easter egg found about Memorial Day. Take that as you will.
Some of the notions for your attention (that is, if you got the notion):
The revised regulations, conforming to the new risk-based approach to information security, is consistent with federal law, especially the FTC’s Safeguards Rule. Hint: Check the safeguards rule. Looks as though this is a direction for finding out what the precedent might be, before the precedent becomes handed down. The Safeguards Rule also contains third party vendor provisions, which are the model for the third party vendor provisions in the revised CMR regulations.
There is more specific, albeit, still nearly wide-open, “guidance” with respect to the encryption of PDAs: Not all portable devices have to be encrypted. (Makes sense. Not all portable devices will have protected personal information stored on them anyway.) Since there is not a generally accepted encryption method, just do what is “technically feasible” (there’s that term again--but what does it mean?), and if you can’t encrypt your PDA, safeguard the protected personal information on it to the extent possible. (Meaning: If you can’t encrypt, manage the risk. That’s as catchy as “If the glove don’t fit, you must acquit”, no?) This segment ends by stating, rather matter-of-factly, that encryption technology is generally available for laptops. (i.e.--If you have protected personal information on your laptop, encrypt the device.)
The FAQs also provide some specific guidance on the protection of personal information on backup tapes, which has been a cloudy question to this point. There are several interesting points here: Going forward (so starting on March 1, 2010, I would imagine) backup tapes must be encrypted. However, if you are moving old backup tapes from storage, you must encrypt those tapes . . . if it’s technically feasible, of course. If it’s not technically feasible, you should take steps to protect the information contained on the backup tapes (so the backup tapes). The FAQs provide the oddly extreme example of using an armored vehicle and guards for the transfer of a “large” amount of sensitive personal information. Certainly an option for large companies; but, for smaller companies (and there is no further definition of what a “large” amount might be), likely not probable. What is this, Thailand?
A definition of “technically feasible” (= technologically feasible, what with all the context clues) is presented in the FAQs. Why the definition is presented in the FAQs and not within the regulation is sort of beyond me, but it is what it is, I suppose. The definition of “technically feasible”, then, as it appears, is really just a question of reasonableness, that old-timey standard.
Also welcome is some guidance specific to the encryption of email containing personal information, as this has been one or the major areas of concern for those seeking to comply with the regulations. Quite obviously now, under this new regime, you need only encrypt if it is technically feasible. If email encryption generally is not technically feasible, the best practice is not to send unencrypted personal information via email. The alternative suggestion is transfer of and communication relating to protected personal information via the establishment of an encrypted website with username and password access. Of course, that seems rather cumbersome, in some cases. For example, I’d rather just encrypt a PDF or Word document, and call the person I emailing with the password. The secure website is a good idea for collaboration, but not for simple transfer.
If you swipe credit cards and debit cards, and only use swipe technology, but do not have custody or control over the information swiped and batch out the data in accordance with the payment card industry standards, then you are not an owner or licensor of personal information, and that information is not your obligation to protect under the data privacy regime. Apparently, there are special considerations if you “have employees”; and, reference, for that scenario, is made to a prior hypothetical, in which no mention is made of debit or credit card swiping procedures.
To compensate for the removal of language in the original regulations respecting the limiting of the amount of personal information collected, the length of time it is retained for and the limitation to a legitimate purpose for collection, the question of length of retention is addressed now in the FAQs. There is no maximum amount of time that a business can hold onto protected personal information; the timing question is a business decision. However, the suggested best practice is to consider what is essentially the former mandate of the relevant deleted portion of the regulations, the former 17.03(2)(g) reiterated.
With the deletion of the former 17.03(2)(h), you no longer need to make an inventory of your records, to determine which of those records contain protected personal information . . . but you should. Despite the deletion of this section and the above-referenced section, the suggestion here is that, although, those segments of the regulation have now been removed, it is still best practice to make an inventory of your client records and information and to include within your planning for the creation of your WISP concepts concerning the purpose of your maintaining records.
How much employee training do you need to do, with respect to the Massachusetts data privacy regime? “Enough.” Oh, well, that’s helpful. Thank you.
In addition to the definition of “technically feasible”, there also appears in the FAQs another, less explicit definition, this one for “financial account”. “Financial account number” has previously been defined in the statute and remains defined in the regulation; but, a definition for “financial account” seems to be attempted here in order to provide further examples of financial accounts (some of which examples appear in the statute and still appear in the regulation), as well as to provide context for what sort of things hackers or other illegitimate persons can do when they get access to financial accounts. It strikes me as tortuous, and unhelpful, however, to define a financial account in the context of what certain persons can do to other persons once they have gained access to those other persons’ financial accounts.
Incidentally, an insurance policy number is a financial account number (important more for insurance carriers and resellers than lawyers, but still likely account information accessible and maintained by some lawyers, in certain cases), with certain conditions: IF “it grants access to a person’s finances” or IF it “results in an increase of financial burden, or a misappropriation of money, credit or other assets”. Certainly, this second option is just another definition by extrapolation, and as unhelpful to persons attempting to comply with this regulation as the above type definition; the first option--granting access to finances--is a much better definition, and measure.
The attorney-client privilege does not immunize you from compliance with the data privacy regulations--seems rather obvious, but someone must have asked.
Additionally, you must comply with the CMR even if you already comply with HIPAA. These are distinct obligations, even though there may be overlap, in certain places, and at certain points.
With respect to the general monitoring of your safeguards for your maintaining protected personal information, you should adopt a system that is “reasonably likely to reveal unauthorized access or use”. This guidance is generally consistent with the new tenor of the regulations, that businesses, especially smaller businesses, will be given more leeway in applying protocols consistent with the revised regulations and the statute. Likely obviously, standards for monitoring paper records versus electronic records should take into account the differences between those records.
The FAQs end on what is, really, a summation point: that compliance will be judged on a case-by-case basis, with the relevant totality of (most of) the circumstances (business size; business resources; amount of data stored; need for confidentiality) considered.
. . .
So, Where do we stand now? A little further away from the cliff face.
The most important change to the regulations is the leeway now provided to smaller businesses with respect to the actual implementation of technical security safeguards. The regulations are now technology neutral and grounded in the nature of a business for specific application of measures. The third party provider requirement changes are also significant; however, those are still not entirely clear as to what reasonable steps businesses must take in vetting service providers and as to whether and to what extent there is a continuing monitoring requirement, or if the new mandated contract term weds third party providers to liability. The FAQs are full of the right questions, with most of the right answers; and, some of those answers should have made it into the final version of the regulations. Overall, though, there is more bark than bite here, and the changes to the WISP requirement are not really staggering, or major. We’re getting closer, but not quite there yet. Perhaps another extension is in the offing?
Complaints? Is it all too much for you to take? Attend the public hearing relating to the changes to the regulations on September 22, 2009, and voice your disgruntlement.
(Yes, I know. Disgruntlement is not a word.)
Subscribe to:
Posts (Atom)