Data Privacy Update


The strict Massachusetts data privacy and security regulations (201 C.M.R. 17) that took effect March 1, 2010 are designed to protect personal information of Massachusetts residents (including the combination of an individual’s name with financial, bank or credit card account, driver’s license, or social security numbers). The regulations require companies handling this type of information to adopt a Comprehensive Written Information Security Program and to encrypt personal information on laptops and other portable devices (as well as data transmitted across public networks or wirelessly), among other administrative, technical, and physical safeguards.

Companies subject to these regulations must also take reasonable steps to ensure that their third-party service providers that will have access to this data will protect it in the same way. Regulators understood that companies might need time to obligate by contract certain vendors (those with whom they did business prior to March 1, 2010) to meet this standard, and gave them a period of time to amend those agreements. This compliance grace period ends March 1, 2012. By that date, companies should have contractual obligations with all existing vendors that handle such personal information requiring the vendors to protect the information as set out in the regulations.

Companies that rely on third-party service providers to receive, store, maintain, or process the personal information of Massachusetts residents should consider whether their agreements with those vendors sufficiently commit them to maintain relevant security measures. If the third-party service providers process this type of data for other companies, they likely have been meeting this standard since March 1, 2010, or shortly thereafter, but some older contracts may not technically obligate them to do so.

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.

Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.