Precocious First Grader Knows How to Get Down to Business

One of the benefits of a having a child in elementary school is being invited to come in for "interview day" and having a pack of a dozen first graders ask questions about my job and how I help the community.  I told them that being a business lawyer is great because I get to help people solve problems and agree how to work together.  Plus, I help start businesses like toy stores, candy stores, and restaurants - all crowd favorites that day. But my favorite question was the first one that received from a six-year-old girl in front: "How many emails do you get every day."  She can barely read but knows how the world works.  I told the class the size of my email inbox and I think they thought I was kidding.  But what a different world these kids will be growing up in.

Privacy Trumps Freedom in Italy as Google Execs Prosecuted

With all the talk about the new Massachusetts privacy regulations about to set a new aggressive standard in the United States, it looks like the real privacy hawks are in Italy.  An Italian court convicted three Google executives today in a case that is certain to create confusion throughout the Tubes.  Italy, meet YouTube, and welcome to the 21st century. As reported by Wired Magazine (among many other today), the case against the three Google execs - none of whom is apparently in Italy - centered around what sounds like a disturbing video of Italian schoolkids bullying and beating up a mentally disabled classmate.  The problem was not that Google did not take down the video - it did! - it was simply that they didn't take it down fast enough.

With today's "share everything" mentality on the Internet, this case sets a dangerous precedent when you consider the "sue everyone" mentality that has also become pervasive in our society.  If adopted here, it seems as though this case could set off a new wave of litigiousness that would not weaken the freedom we have come to know on the Internet, but also our legal system.  This is exactly the type of problem that Philip K. Howard talked about recently at the TED conference.

But that could never happen here in America, right?

REMINDER: Massachusetts Privacy Regulations Launch March 1st. Here is what you need to know.

There are only two weeks left to comply with the new Massachusetts privacy regulations.  And before you think that they won't apply to you, think again. I have written before about the new privacy regulations, which will be the toughest and most aggressive privacy rules in the country.  Even though the process has been long and included delays and adjustments, the regs are finally going into effect on March 1st.  And you don't have to be in Massachusetts to worry about them; the new rules will apply to anyone - whether based in Massachusetts or not - that holds certain information about Massachusetts residents.  As a review, here is what you need to know:

Who is covered?

The new law covers any individual, corporation, association, partnership, or other legal entity that handles a Massachusetts resident's personal information in connection with employment or with the provision of goods or services, as long as that information is not otherwise publicly available.  The personal information described here means a Massachusetts resident's name (first name and last name or first initial and last name) in combination with that resident's Social Security number, a driver's license or state ID number, or a financial account or credit card number.

What is required?

Those who are covered must create a comprehensive written information security program (a "WISP") to safeguard the information.  The WISP need only be appropriate to the size, scope, and type of operation the person or business is engaging in, the amount of resources available, the amount of the stored data, and the need for security and confidentiality, but that still means that most people will need to make some adjustments. Your WISP must cover:

  1. Designation of a someone to maintain the WISP.
  2. Identifying and assessing reasonably foreseeable risks (both internal and external) to the confidentiality of the information whether on paper or electronic, and continually evaluating and improving the effectiveness of the safeguards through employee training and means of detecting and preventing security system failures.
  3. Developing security policies for the way the information is stored, accessed, and transported outside of business premises, and especially for the way the information is stored or transmitted on computers or wireless systems, including email.
  4. Imposing disciplinary measures for violations of the WISP rules.
  5. Taking reasonable steps to ensure that third-party service providers are capable of maintaining similar protections and requiring them by contract to implement and maintain appropriate security measures.

What kind of protection is necessary?

For paper records, you must provide for secure storage of materials containing personal information, such as physical restrictions (e.g storage in locked storage facilities or containers) and limiting access.

For electronic records, the WISP must include, to the extent technically feasible, a system to secure control of user IDs, password selection and control, and restricting access to active users.  In addition, all electronic personal information transmitted wirelessly or across a public network, and all personal information stored on a laptop or other portable device must be encrypted.  It is important to note that encryption for this purpose does not mean password protection; the regulation requires the information to be transformed into a "form in which meaning cannot be assigned".  In other words, the information must be unreadable.  Password protection alone does not satisfy the requirement.

Are there standard procedures to follow?

The quick answer is no - each person or company needs to come up with unique procedures and safeguards that are both reasonable and feasible for its specific operation.  A large company will necessarily have more detailed procedures than a smaller company, and one industry may be held to a different standard another on a case-by-case basis.  Your current procedures may be a good starting point and may, in some cases, already comply with the new requirements.  There is ambiguity in the law's use of the terms "technically feasible" and "reasonable" that leave latitude for the specific terms of compliance.  Some of these will be clarified over time through lawsuits and enforcement actions, which simply reinforces the need to re-evaluate your program over time.

However, that ambiguity should not be confused with making compliance optional.  There are real consequences including lawsuits for breaches and in some cases civil penalties and fines imposed for each violation.

The bottom line is that you need to take this new Massachusetts law seriously, even if you are not in Massachusetts.  But you can mitigate the risk by establishing these minimum standards to safeguard the personal information and prevent unauthorized access.

Here are some additional resources for information on the regulations:

Can Law Firms Act Like Startups?

Listening to a great webinar by Brian Halligan and Dharmesh Shah about "Money, Marketing, & Management with the HubSpot Founders", I was reminded about a discussion that has been floating around the Web recently and on this blog as well.  Can law firms act more like startups? One of the themes in the webinar was how companies (particularly a tech startup like HubSpot) should change the typical management philosophy in order to grow and thrive.  Among other things (and to paraphrase a bit):

  1. An organization should break down the pyramid and flatten the org chart.
  2. Extend the "open door" policy to eliminate doors altogether.
  3. Trust your employees and don't try to over-structure company policies.
  4. Be transparent and include your employees.

So everyone sits together and moves around every three months.  Online collaboration tools allow employees to contribute to tools, products, and presentations.  Employees are given latitude and flexibility, drive productivity.  These things work well in a tech startup where the emphasis is on agility and growth, but does that lend itself to a more "traditional" setting like a law firm?

Why not?

Large law firms have traditionally employed a pyramid structure - from the large pool of new associates at the bottom up to the few very managing partners on top.  Nothing is transparent and firm policies are monitored very closely.  Deals at large law firms get staffed with a range of partners and associates, which is sometimes more beneficial for the growth of the law firm (and higher bills) than for the sake of the deal.

Recently though, driven in part by a changing economy, clients, VCs, and even lawyers have reacted negatively to this seemingly outdated structure and have called for some changes.  As companies evolve, shouldn't their law firms?

I have seen a number of new firms pop up in the last few years that seem to embrace this new model - my firm, Trinity Law Group is one of them - by leveraging technology to focus on clients rather than high-rent office space, billable hours, and expensive marketing.  By emulating the companies we represent, law firms can provide better value while adapting to a 21st century business model.

What do you think?  Have you noticed a change in they way you interact with your lawyers?

Trinity and Me

A quick aside from my regular posts to bring you some news on my practice.  As you can see by reading the updated sidebar on the right, I have recently joined Trinity Law Group LLC, a boutique business law firm in greater Boston.  Trinity is made up of some of the best lawyers (and people) I have had the chance to work with and I am very excited to be a part of the team. Watch for developments and more news throughout the social sphere as we intend to utilize some great new technology to better provide value to our clients.  You can read more about my move and about Trinity generally at www.trinitylg.com but you can read the press release in full below.

NEWS RELEASE

BUSINESS LAWYER DAN RYAN JOINS BOSTON’S TRINITY LAW GROUP

January 1, 2010 WESTWOOD, MA – Trinity Law Group LLC, a greater Boston law firm, announced that Daniel J. Ryan has joined the firm as an attorney and counselor at law.

Mr. Ryan will focuses his practice on the organizational, operational, and transactional needs of entrepreneurs, startups, emerging and mid-sized companies as well as angel and venture capital investors. He has counseled and represented clients ranging from the Fortune 500 companies and elite venture capital firms to solo entrepreneurs throughout the business and investment life cycle – from inception and formation, to franchising, licensing and other contracts, to growth and investment, and liquidity strategies. Dan Ryan previously practiced with large, international law firms, first in Denver, Colorado, and then in Boston.

According to Walter Wright of Trinity Law Group,  “We are thrilled to have Dan Ryan join us at Trinity Law Group. His substantial training, experience and competence, client commitment and passion for effectively using technology in the law fit perfectly with Trinity Law Group’s progressive and innovative approaches to working with clients and practicing business law.”

The author of THE BUSINESS LAW BLOG, “A business lawyer's thoughts on business law”, Mr. Ryan also presents on business and corporate law topics to attorneys, entrepreneurs, and other professionals, and has been a recurring guest speaker at the University of Colorado.

Daniel Ryan is a graduate of Boston College Law School (J.D.) and the University of Michigan (B.A.) and is licensed to practice in Massachusetts and Colorado. He is a member of the Massachusetts and Lawrence Bar Associations and is active in local organizations in North Andover and the Merrimack Valley. You can follow Dan Ryan on twitter @dryanesq.

About Trinity Law Group LLC. Trinity Law Group LLC is a greater Boston law firm that practices a broad range of business, corporate, and securities law throughout New England, United States and the world with well-recognized attorneys of stellar academic and professional accomplishment who leverage technology and relationships.  Founder Attorneys Walt Wright and Daniel Clark are business savvy and entrepreneurial lawyers who started the firm in 2007 after serving in leadership positions in the Boston law firm Rich May, where Mr. Wright served as Managing Director and Mr. Clark served as President. Trinity Law Group attorneys leverage relationships, technology and strategy to create a competitive advantage for its clients in the business law sector. Trinity Law Group LLC attorneys share a “trinity” of values as cornerstones of professional life: competence, commitment and communication. Trinity Law Group holds the distinction of being named a “Preeminent Law Firm” for its legal ability and ethical standards in the Bar Registry of Preeminent Lawyers. Additional information on the firm and Attorney Ryan is available at www.trinitylg.com.