Massachusetts Data Security Regulations: Deadline Looms for Amending Service Provider Contracts


Just a reminder that March 1 is an important deadline with respect to the Massachusetts data privacy and security regulations (the “Regulations”).  As a refresher, the Regulations require all entities that “own or license” personal information of Massachusetts residents — wherever the entity is located — to comply with provisions requiring specific administrative, physical and technical safeguards in respect of the personal information.   To reduce the risk of data breaches involving third-party service providers who will have access to personal information in some way, the Regulations require companies covered by the Regulations to take reasonable measures to select vendors capable of “maintaining appropriate security measures to protect such personal information consistent with [the] regulations and any applicable federal regulations.” Furthermore, the Regulations mandate that companies contractually require their service providers to safeguard personal information in accordance with the Massachusetts regulations and applicable federal requirements. Regardless of location, an entity must comply if it receives, stores, maintains, processes, or otherwise has access to personal information of Massachusetts residents in connection with the provision of goods and services or in connection with employment. Because the Regulations contain such broad definitions for terms such as “own and license,” most service providers – from your payroll provider to your e-commerce hosting provider – are likely subject to this requirement.

The contract provision includes a grandfather clause, providing that all contracts entered into before March 1, 2010 are exempt from complying with this requirement until March 1, 2012. By March 1, 2012, companies that own or license PI of Massachusetts residents must ensure that pre-March 1, 2010 contracts with third party service providers are amended to incorporate appropriate contractual requirements.  Regardless, service provider contracts entered into after the March 1, 2010 effective date of the Massachusetts regulations have been and continue to be required to contain such a contractual representation of compliance.

Please see full article below for more information.

LOADING PDF: If there are any problems, click here to download the file.

Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz Levin | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.