The strict Massachusetts data privacy and security regulations (201 C.M.R. 17) that took effect March 1, 2010 are designed to protect personal information of Massachusetts residents (including the combination of an individual’s name with financial, bank or credit card account, driver’s license, or social security numbers). The regulations require companies handling this type of information to adopt a Comprehensive Written Information Security Program and to encrypt personal information on laptops and other portable devices (as well as data transmitted across public networks or wirelessly), among other administrative, technical, and physical safeguards.

Companies subject to these regulations must also take reasonable steps to ensure that their third-party service providers that will have access to this data will protect it in the same way. Regulators understood that companies might need time to obligate by contract certain vendors (those with whom they did business prior to March 1, 2010) to meet this standard, and gave them a period of time to amend those agreements. This compliance grace period ends March 1, 2012. By that date, companies should have contractual obligations with all existing vendors that handle such personal information requiring the vendors to protect the information as set out in the regulations.

Companies that rely on third-party service providers to receive, store, maintain, or process the personal information of Massachusetts residents should consider whether their agreements with those vendors sufficiently commit them to maintain relevant security measures. If the third-party service providers process this type of data for other companies, they likely have been meeting this standard since March 1, 2010, or shortly thereafter, but some older contracts may not technically obligate them to do so.

Please see full alert below for more information.