Masthead web
Start Here Logo 

Privacy & Information Security Program Consulting

Got PI or PII or PHI? - Some Personal Information (PI), Personally Identifiable Information (PII) and Protected Health Information (PHI) is held by nearly every organization. In fact, it takes very little to make PI: 1) first and last name or first initial and last name; PLUS 2) some identifying information such as a credit card number, a social security number, a drivers license ID number, a state-issued ID card, a credit/debit card number, a financial account number or similar identity information.

If your organization collects, owns, holds or even transmits certain types of personal or protected information, various state and federal laws require that it be protected.  Data theft and identity theft is a growing concern. The organization Open Security Foundation tracks data loss on its website The site is updated constantly and provides an empirical measure of how common data loss is. Not a month goes by without a report of another stunning batch of protected data lost or stolen.

Another source of information regarding data loss is published by HHS regarding HIPAA.  Under section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.  This updated list can be found here.

Data theft or loss triggers reporting duties, potential fines, possible legal liability and potential reputational damage.  The laws protecting consumers against the harms of data loss are growing stricter.  Massachusetts is now the leading state with the most far reaching protection for the PI of its residents, wherever that data is located.  That means, if you have  financial information such as a check or credit card from a Massachusetts' resident, you must comply with the new law - 201 CMR 17.00 - even if you are located outside Massachusetts.  Data loss need not be related to theft; simply losing a laptop computer with protected information triggers reporting duties, as the Open Security Foundation regularly reports.

Solutions to these challenges are both technical and legal.  The Written Information Security Programs (WISPs) required to comply with the laws have requirements for employee discipline, employee policies and training.  Legal issues are also implicated by the need to update or create document retention policies for the organization.  Regardless of where in the solutions process your organization is, we can help guide you toward appropriate solutions. Even if you do not know where to start, you can Start Here.

Our services include:

  • Confidential consultation and initial gap analysis

  • Identity Theft and Written Information Security Program Compliance - Massachusetts requires any organization anywhere holding banking, social security numbers or other defined Personal Information (PI) on any Massachusetts resident to be protected by a comprehensive Written Information Security Program (WISP); we can help draft a legally defensible WISP and conform it to an overall organizational Document Retention Policy as well as other information security and privacy laws; Learn more about Massachusetts' WISP requirements....

  • Identity Theft and FTC Red Flags Rule -  The FTC Red Flags Rule requires that financial institutions and creditors to create a written Identity Theft Prevention Program for Personal Identifying Information (PII); the Rule defines "creditors" very broadly to include just about anyone who offers credit, including small businesses outside the financial sector; noncompliance with the Rule presents significant risk because it entitles the FTC to bring enforcement actions on its own; we can help conform your written Identity Theft Prevention Program with Massachusetts' WISP requirements and an overall Document Retention Policy;  Learn more about the FTC Red Flags Rule...

  • Vendor Selection - provide assistance in selection of vendors for privacy and information security programs; advice on contracting with all vendors who are in possession, custody and control of organizational data or records for compliance with Massachusetts 201 CMR 17.00 and similar laws that require protection of Personal Information

  • Investigations - confidential response team for internal investigations of harassment, fraud or information security breach involving an organization's IT system and computers

  • Privacy - confidential advice concerning privacy and information security laws including 201 CMR 17.00, Massachusetts Executive Order 504, HIPAA, Gramm Leach Bliley, the Patriot Act and others

  • Training - best practices for managing electronic records, legal hold and litigation readiness training; provide Information Security Program employee training required by Massachusetts new regulations, 201 CMR 17.00 and the FTC Red Flags Rule; confidential technical training and "fire drills" available on confidential live client data to develop in-house expertise in the application of legal holds to electronic storage and records retention system; litigation readiness programs and training.

This Practice Area provides comprehensive preventative law services to organizations including public and private corporations, municipalities, government agencies and educational institutions regarding legally defensible legally defensible approaches to document retention policies, legal holds, email & unstructured data storage, litigation readiness and information security programs.  Our approach to these issues is to identify and apply industry standards and best practices combined with an ongoing study of the evolving case law. 

We work with our clients to take advantage of internal resources and team with a number of capable IT and RIM professionals to supplement client resources and deliver efficient, competent and cost-effective services.  We have experience in handling the most complex matters, including those involving millions of electronic documents and terabytes of data.  

For more information about our Privacy and Information Security Practice please contact Steve O’Neill at or toll-free 888-766-3455.