Businesses that own or license any personal data regarding Massachusetts residents have until March 1, 2012, to update vendor agreements to include requirements that vendors implement and maintain a data security program that complies with 201 Code of Mass. Reg. 17.00.
In 2008,Massachusetts enacted the Regulations – a set of comprehensive and detailed data security requirements that broadly regulate the storage, transmission and disclosure of personal information. On March 1, 2010, these regulations went into effect.
They require every person or entity that “owns or licenses [sensitive] personal information about a resident” of Massachusetts to “develop, implement or maintain a comprehensive information security program that reflects (1) the size, scope and type of business; (2) the amount of resources available to the business; (3) the amount of stored information maintained by the business; and (4) the sensitivity of the information.”
The Regulations also identify twelve specific elements that all written information security programs must contain, and lay out minimum computer system security requirements.
Bear in mind that this requirement does not apply directly to service providers; it is imposed on the company that owns or licenses the sensitive information.
The Regulations require the owner or licensor of the data to require its third-party service providers by contract to implement and maintain appropriate security measures consistent with the Regulations. The Regulations give data owners or licensors until March 1, 2012, to update service provider agreements that were put in place prior to March 1, 2010. The obligation also applies to all contracts entered into after that date.
Thus, Agreements that take effect on or after March 1, 2010, should impose the same sort of appropriate data security obligations on vendors.
For more information about this rapidly approaching deadline, please contact Jim Halpert, Kate Lucente or Jennifer Kashatus.