Massachusetts’ Data Security Regulation: Important Deadline Approaching

more+
less-

The deadline for compliance with a key requirement of the Massachusetts Data Security Regulation, 201 CMR 17.00 et seq. (the “Regulation”) is less than a month away. The Regulation requires that by March 1, 2012, all entities subject to the Regulation must require their respective “service providers” (as defined below) to implement and maintain appropriate security measures to protect personal information that are consistent with the Regulation and applicable federal regulations.

Who is subject to the Regulation?

Regardless of whether an entity maintains a place of business in Massachusetts, it must comply with the Regulation if it receives, stores, maintains, processes, or otherwise has access to personal information of Massachusetts residents in connection with the provision of goods or services or in connection with employment. The term “personal information” is defined to mean a person’s name in combination with certain sensitive information, such as a Social Security number, driver’s license number or other state-issued ID number, financial account number, or debit or credit card number. A full discussion of the Regulation can be found in our previous alert, which can be accessed here.

Requirements for overseeing services providers

The Regulation requires that subject entities oversee service providers by taking reasonable steps to select and retain service providers that are capable of maintaining appropriate security measures to protect personal information. In addition, those service providers must contractually agree to implement and maintain appropriate security measures to protect personal information consistent with the Regulation and applicable federal regulations. Note that such oversight responsibilities apply only to “service providers,” defined as “any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation.”

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.