The Massachusetts Service Provider Contract Safe Harbor Set to Expire


The Massachusetts data security regulations’ “safe harbor” for certain pre-existing service provider contracts will expire on March 1, 2012. Companies should ensure that they have updated agreements with service providers, if necessary, by that date.

As we have previously reported over the past several years, the Massachusetts data security regulations, originally issued in September 2008 by the Massachusetts Office of Consumer Affairs and Business Regulation, impose far more detailed and comprehensive data security requirements than other U.S. states and most other countries. While the compliance date for the regulations (March 1, 2010) is nearly two years past, the safe harbor in the regulations relating to pre-existing service provider contracts is set to expire on March 1, 2012.

The Massachusetts data security regulations apply to any person that “own[s] or license[s]” personal information about Massachusetts residents. 201 C.M.R. § 17.01(2). Despite its seemingly narrow ownership language, the regulations define this phrase broadly to include the acts of receiving, maintaining, processing, or otherwise having access to personal information in connection with providing goods or services or in connection with employment. 201 C.M.R. § 17.02. As a result, the regulations apply broadly to any person (or business) that receives, maintains, processes or otherwise has access to personal information relating to a resident of Massachusetts in connection with providing goods or services or in connection with employment.

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.

Reporters on Deadline


Morrison & Foerster is an international firm with more than 1,000 lawyers across 15 offices in the... View Profile »

Follow Morrison & Foerster LLP: