If you do business with Massachusetts consumers, and allow third party vendors access to consumer data, please take note.
As of March 1, 2012, all contracts with vendors who have access to Massachusetts consumers’ personal information (PI) must contain representations of compliance with Massachusetts privacy standards. For the past two years, all companies—wherever located—that possess PI of Massachusetts residents have been required to comply with 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth (the "Standards"). Among many other requirements, the Standards mandate that contracts with third-party vendors who have access to PI of Massachusetts residents include express representations that the vendor maintains appropriate security measures for such information.
Although the Standards have been applicable to contracts entered into after the effective date of March 1, 2010, since that date contracts already in existence at that time were exempted from compliance for two years. That exemption expires on March 1, 2012 and, as such, any contract with a vendor who has access to the personal information of a Massachusetts resident, and that was in existence on March 1, 2010, should be amended to include the required representations. There is no explicit private right of action in the statute, but the attorney general may impose penalties of $5,000 per violation, plus attorneys’ fees and costs of investigation. (M.G.L. c 93A § 4). Clients who possess PI of Massachusetts residents should review their vendor contracts for compliance (and confirm that their own policies and procedures meet the required standard).