The Massachusetts data security regulations’ “safe harbor” for certain pre-existing service provider contracts will expire on March 1, 2012. Companies should ensure that they have updated agreements with service providers, if necessary, by that date.

As we have previously reported over the past several years, the Massachusetts data security regulations, originally issued in September 2008 by the Massachusetts Office of Consumer Affairs and Business Regulation, impose far more detailed and comprehensive data security requirements than other U.S. states and most other countries. While the compliance date for the regulations (March 1, 2010) is nearly two years past, the safe harbor in the regulations relating to pre-existing service provider contracts is set to expire on March 1, 2012.

The Massachusetts data security regulations apply to any person that “own[s] or license[s]” personal information about Massachusetts residents. 201 C.M.R. § 17.01(2). Despite its seemingly narrow ownership language, the regulations define this phrase broadly to include the acts of receiving, maintaining, processing, or otherwise having access to personal information in connection with providing goods or services or in connection with employment. 201 C.M.R. § 17.02. As a result, the regulations apply broadly to any person (or business) that receives, maintains, processes or otherwise has access to personal information relating to a resident of Massachusetts in connection with providing goods or services or in connection with employment.

Please see full alert below for more information.