Deadline Approaching For Companies holding Massachusetts Residents' Personal Data

Posted
By Meighan E. O'Reardon

The last outstanding requirement of the 2010 Massachusetts Data Protection Law relates to third-party service provider compliance and will take effect on March 1, 2012.

Section 17.03(2)(f)(2) of the Law mandates that entities holding Massachusetts' residents' personal information require their third-party service providers to contractually commit to implementing and maintaining security measures for personal information. The Law defines a service provider as

"any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to [the Massachusetts] regulation."

Companies subject to the Law should validate that any agreements with service providers that fall within this definition address the Massachusetts requirements, and any gaps in contract language should be immediately corrected.

As a matter of good information security practice, contracts with service providers should also include: (i) security audit rights, (ii) terms requiring that the service provider immediately notify the contracting partner of any data breach, and (iii) language requiring that all personal information be returned or destroyed upon the termination of the contract.
For additional background on the Massachusetts Data Protection Law see here.