The Massachusetts data security regulations’ “safe harbor” for certain pre-existing service provider contracts will expire on March 1, 2012. Companies should ensure that they have updated agreements with service providers, if necessary, by that date.
As we have previously reported over the past several years, the Massachusetts data security regulations, originally issued in September 2008 by the Massachusetts Office of Consumer Affairs and Business Regulation, impose far more detailed and comprehensive data security requirements than other U.S. states and most other countries. While the compliance date for the regulations (March 1, 2010) is nearly two years past, the safe harbor in the regulations relating to pre-existing service provider contracts is set to expire on March 1, 2012.
The Massachusetts data security regulations apply to any person that “own[s] or license[s]” personal information about Massachusetts residents. 201 C.M.R. § 17.01(2). Despite its seemingly narrow ownership language, the regulations define this phrase broadly to include the acts of receiving, maintaining, processing, or otherwise having access to personal information in connection with providing goods or services or in connection with employment. 201 C.M.R. § 17.02. As a result, the regulations apply broadly to any person (or business) that receives, maintains, processes or otherwise has access to personal information relating to a resident of Massachusetts in connection with providing goods or services or in connection with employment.
Please see full alert below for more information.
Firefox recommends the PDF Plugin for Mac OS X for viewing PDF documents in your browser.
We can also show you Legal Updates using the Google Viewer; however, you will need to be logged into Google Docs to view them.
Please choose one of the above to proceed!
LOADING PDF: If there are any problems, click here to download the file.