Who is a member?
Our members are the local governments of Massachusetts and their elected and appointed leadership.
Municipalities have long been challenged by the need to maintain, secure and reproduce public records. Long-standing laws dictate how a municipality must keep and make available notes of public meetings and discussions among elected officials.
Recent developments in both governing statutes and judicial rulings will significantly affect the manner in which municipalities now manage their documents.
On March 1, a state regulation (201 CMR 17) took effect that is intended to ensure the security of personal information. The new regulation, promulgated by the Office of Consumer Affairs and Business Regulation, requires any business that obtains personal information to create specific safeguards for the use, storage and disposal of that information.
“Personal information,” as defined by the regulation, includes any combination of names, social security numbers and drivers’ license numbers. Any business that possesses such personal information must create and maintain appropriate safeguards against its loss or theft. Violations are subject to significant fines and/or penalties.
Each entity is required to have a Written Information Security Plan that outlines the manner in which it protects personal information in its care, custody and control.
The promulgation of 201 CMR 17 is well-known to private industry, but is less familiar to many public employers. When enacting the law that called for the regulation, the Legislature decided to exempt municipalities from its requirements. Because of this exemption, many municipalities have viewed 201 CMR 17 as unrelated to their operations.
It is important to note, however, that 201 CMR 17 was created under existing statutes (M.G.L. Ch. 93H and 93I) that serve as the enforcement provisions and dictate what steps an organization must take to notify consumers and regulatory authorities in the event of a loss or theft of personal information. The statutes create specific notification requirements that must be followed by any entity that has lost personal information.
Even though municipalities are specifically exempted from 201 CMR 17, there is no such assured exemption from chapters 93H or 93I. Therefore, while municipalities are not expected to create and maintain rigorous procedures to prevent the loss or theft of personal information, they are required to provide detailed information on the method of loss, level of loss and significance of loss of any personal data in their control.
A good data management policy would consider the suggestions contained within 201 CMR 17 to help safeguard the municipality against any penalties that could be incurred by a loss of personal data.
Guarding against liability
An additional development affecting the management of municipal documents and communications arises from a U.S. District Court ruling in Committee of the University of Montreal Pension Plan, et al. v. Banc of America Securities LLC, et al. In this case, which did not involve a municipality, a federal judge ordered significant sanctions against a defendant who did not thoroughly reproduce e-mail and other documents in connection with a discovery order.
In her decision, issued on Jan. 11, the judge ruled that, even though the defendant’s failure to maintain the records was neither intentional nor malicious, the failure to maintain them was improper and created the need for sanctions. Included among the sanctions was an instruction to the jury to deem the failure of the defendant to maintain the records as an indication that those records would have been detrimental to the defendant’s position. In short, even an erroneous failure to maintain a record is now viewed by the court as a violation of record maintenance and required discovery.
While the federal court ruling was levied against a private corporation, it applies to all potential defendants, including municipalities. It is increasingly apparent that municipalities need to have a clear and effective policy for the preservation of all records, including electronic communications. The failure to maintain those records, even if accidental, can have major consequences for a municipality involved in litigation.
Managers should ensure that their city or town has a clearly defined records retention program. Those retention efforts should extend, in some cases, to the use of personal e-mail by elected or appointed officials. If otherwise “private” e-mail is used in the conduct of municipal business, it becomes subject to public record laws and should be preserved for inclusion among documents related to potential litigation. Public officials should consider whether they wish to use their private e-mail account to conduct municipal business, as that account may become subject to public review.
A strategy that may benefit all defendants – municipal defendants in particular – is the concept of a “pre-litigation hold.” A pre-litigation hold would require anyone potentially involved in likely litigation to preserve all communications until such time as it is clear that the litigation will not occur.
In many circumstances, potential plaintiffs advise municipalities of their intention to litigate an issue. When the municipality first learns of the potential for litigation, it should advise all involved staff persons to preserve and maintain any communications or documents that may be relevant to that litigation. [Beginning in 2010, MIIA has begun asking member municipalities to preserve all written and electronic communications related to specific claims.]
As information becomes easier to share, the need to protect privacy and secure private information is more critical than ever. Consumer expectations and governmental regulations are increasing the demands for safeguarding public information. Municipal managers will continue to be challenged by the need to protect and reproduce information.
Michael Cusack is MIIA’s Claims Manager.