Schwartz Hannum PC
Bookmark and Share
 
 

E-Alerts

Data Security Alert! March 1 Deadline For Service Contracts To Comply With Massachusetts Data Security Law

February 2012 by Sara Goldsmith Schwartz

[February 3, 2012]  Entities covered by the Massachusetts Data Security Law (including employers outside of Massachusetts) must ensure that all third-party service provider contracts are fully compliant with the law by March 1, 2012, when a two-year grace period for pre-existing third-party service provider contracts will expire.  Thus, by March 1, all such contracts must include a provision requiring the service provider to satisfy the requirements of the law, regardless of the contract’s execution date.

Significantly, entities based outside of Massachusetts are likely covered by the Massachusetts law if they have employees, clients, members, customers, or students who reside in Massachusetts.  For example, a California-based company is covered if it accepts credit cards from Massachusetts residents; a Rhode Island school is covered if it has Massachusetts employees or students; and a Florida non-profit is covered if it accepts donations from Massachusetts residents.

The regulations implementing the Massachusetts Data Security Law (in effect since March 1, 2010) require covered entities to protect Massachusetts residents’ personal information and to ensure that their third-party service providers protect such personal information as well.  The regulations established a two-year compliance grace period for third-party service provider contracts that existed before March 1, 2010.  On March 1, 2012, that grace period will expire, and all such contracts will be required to comply.

The Fundamentals Of The Massachusetts Data Security Law

The Massachusetts Data Security Law applies to entities that “own, license, store, maintain, process or otherwise have access to records containing ‘personal information’ of Massachusetts residents in connection with the provision of goods or services or in connection with employment.”  “Personal information” is defined as first and last name, or first initial and last name, combined with a financial account number, a credit or debit card number, a Social Security number, a driver’s license number and/or a state-issued identification number.

Entities covered by the regulations must, among other things:

  • Implement certain information technology security requirements (strong password and user-authentication protocols, firewalls, security system monitoring, and encryption);
  • Develop and implement a Comprehensive Written Information Security Program (“WISP”), i.e., a detailed policy that sets forth the covered entity’s security, technical and administrative protocols for safeguarding personal information;
  • Conduct employee training on the WISP; and
  • Require third-party service providers (i.e., “any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation”) to confirm in their contracts that they will protect the personal information entrusted to them in accordance with the Data Security Law.

Next Steps

Employers that have not yet taken steps to ensure that all of their third-party service providers have agreed to comply with the Massachusetts Data Security Law must do so immediately.  Specifically, employers should:

  • Review the Massachusetts Data Security Law to determine if they are covered by the law (any entity with Massachusetts clients, employees or students, by way of example, is likely covered);
  • Analyze whether they use third-party service providers in any way that involves sharing personal information of Massachusetts residents
    • 401(k) or 403(b) provider?
    • Workers’ compensation carrier?
    • Insurance broker?
    • Health insurance carrier?
    • Other?
  • Review all such third-party service contracts to assess whether they include the required provision;
  • Amend these contracts, as may be necessary, by no later than March 1, 2012; and
  • Draft all new third-party service provider contracts to comply with the law.

***

Please do not hesitate to contact us if you have questions about the Massachusetts Data Security Law or need assistance to achieve compliance with it.  We have developed a data security compliance package to assist covered entities and would be happy to help however we can.