Massachusetts has tightened the requirements for companies holding personal information about its residents. Effective as of March 1, 2012, organizations that own or license personal information about residents of the Commonwealth of Massachusetts must include in all agreements with vendors and other third-party service providers contractual provisions that require those providers to maintain appropriate security measures to protect personal information. This requirement is not limited to organizations located in Massachusetts but applies broadly to any organization, wherever located, that owns or licenses personal information regarding Massachusetts residents.
In March 2010, Massachusetts enacted strict proactive data security regulations (the "Regulation") to address the risk of security breaches and accidental disclosures of personal information. Since that time, persons that own or license personal information of Massachusetts residents have been required to develop and implement a written comprehensive information security program ("CISP") to protect that information. An organization's CISP must, among other things, restrict physical access to records containing personal information, contain security policies for storage and transportation of records containing personal information outside business premises, and provide security measures for computer systems (such as encryption of personal information transmitted across public networks or wirelessly).
With respect to third-party service providers, since March 2010 the Regulation has required an organization to take reasonable steps to select and retain providers that are capable of maintaining appropriate security measures to protect personal information. The Regulation also contains specific requirements for third-party service agreements, but included a grace period until March 1, 2012 for certain agreements, and deemed older agreements (i.e., those entered into before March 1, 2010) in compliance. Those requirements for third-party service agreements now apply. Beginning March 1, 2012, a CISP must require third-party service providers by contract to implement and maintain appropriate security measures to protect personal information consistent with the Regulation and any applicable federal regulation. Older agreements are no longer deemed in compliance.
The Regulation applies to a corporation, association, partnership or other legal entity that owns or licenses personal information of a Massachusetts resident, regardless of where that entity is located. The term "personal information" is defined broadly and consistent with the state's data breach notification law: it includes a Massachusetts resident's name in combination with a Social Security number, driver's license number, financial account or credit card number, or certain other non-publicly available data elements. The definition of "owns or licenses" is also broad and includes receiving, storing, maintaining, processing or otherwise having access to personal information in connection with employment or the provision or goods or services. As such, the Regulation is likely applicable to many national and multinational organizations whose employees, customers, or business contacts include Massachusetts residents.
For entities in highly regulated industries, such as financial services, the Regulation may not impose any new requirements. For many other entities, however, the Regulation may require changes to their information technology architecture, policies and practices.
For further background on Massachusetts data security law, please see our posting from July 2010 entitled "US Privacy Law Developments".
 - 201 C.M.R. 17.00 et seq.
 - 201 C.M.R. 17.03-04.
 - 201 C.M.R. 17.03(1)(f)1.
 - 201 C.M.R. 17.03(1)(f)2.
 - Id.
 - 201 C.M.R. 17.02.
 - Id.
Click here to download PDF.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2012 White & Case LLP