March 1st Deadline for Final Phase of Massachusetts Data Breach Law
February 8, 2012- Massachusetts information security regulations (“Standards for the Protection of Personal Information of Residents of the Commonwealth”) took effect on March 1, 2010. On March 1, 2012, covered companies face a compliance deadline relating to their third party service provider contracts.
To reduce the risk of data breaches involving third-party service providers, the regulations require companies to take reasonable measures to select vendors capable of “maintaining appropriate security measures to protect such personal information consistent with [the] regulations and any applicable federal regulations.” Furthermore, the regulations mandate that companies contractually require their service providers to safeguard personal information in accordance with the Massachusetts regulations and applicable federal requirements.
The contract provision includes a grandfather clause, providing that all contracts entered into before March 1, 2010 are exempt from complying with this requirement until March 1, 2012.
Accordingly, companies that own or license personal information of Massachusetts residents must ensure they have specifically contracted with their service providers to implement and maintain such security measures before the pending deadline.
While the regulations only affect companies possessing personal information of Massachusetts residents, companies outside the scope of these regulations should nonetheless consider amending their contracts in conformity with the Massachusetts regulations to ensure that service providers are aware of their obligations to safeguard personal information.
The content of this article is intended to provide a general guide to the subject matter. The advice of a specialist should be sought about your specific circumstances.
Please contact Feeley & Driscoll's Boston Accounting team by Email or call us at 1 (888) 875-9770.
Share this article: