In several recent client advisories, we reported on the Massachusetts Data Privacy Regulations that took effect on March 1, 2010.1 These regulations, available at 201 CMR 17.00, et seq., impose certain obligations on businesses that own or license the personal information of Massachusetts residents (the “PI”). 2 The regulations require businesses to protect the PI of Massachusetts residents (whether customers or employees) through a variety of proactive measures, such as developing and implementing a Written Information Security Program (“WISP”), ensuring that all computers and portable electronic devices containing PI are secure and encrypted, and requiring that all third-party service provider contracts contain provisions that comply with these regulations.
In an effort to assist in compliance with the third-party service provider requirement, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) drafted a “grandfather” clause into the regulations. This provision provides businesses an additional two years, until March 1, 2012, to update previously existing third-party service provider contracts to comply with the regulations. Prior to this date, only contracts entered into after March 1, 2010, the effective date of the regulations, were required to comply.
The expiration of the grandfather clause applies to all businesses that possess or license the PI of Massachusetts residents, whether located within or outside of the Commonwealth, and regardless of size or type. The implications of this new requirement are far-reaching and businesses should be aware of a few key principles before deciding whether and how to update their third-party contracts.
First, the regulations cover all third-party service providers that receive, store, maintain, process or access PI in conjunction with their services to a particular business. This definition is broad and covers companies as diverse as independent payroll providers, data storage companies and financial and healthcare institutions. Second, businesses must require by contract that their service providers adhere to the regulations. A certificate of compliance or written assurance is not sufficient for compliance since it does not meet the standards for a binding and enforceable contract. Third, businesses are advised to update their existing third-party service provider contracts and conduct due diligence to ensure that vendors have enacted their own WISPs and breach notification plans. Finally, businesses should be aware that the regulations place the burden on them as the owners or licensees of the PI to ensure compliance by their third-party service providers.
The Massachusetts Data Security Regulations are arguably the toughest in the country. Businesses are thus advised to take reasonable steps to educate themselves about the regulations and the practices of their third-party service providers, in addition to updating their existing third-party service provider contracts, in order to best protect themselves.