On March 1, 2010, two years ago, the regulations associated with the Massachusetts Data Privacy Law went into effect. The regulations, found at 201 CMR 17, require business who possess “Personal Information” (PI) of Massachusetts’ residents to protect that data in fairly specific ways. Arguably, the most important aspect of the regulations was the requirement that all businesses have a “Written Information Security Program” or WISP. But there are certainly other important regulations, one of which comes into effect today, March 1, 2012.

March 1, 2012 is the deadline for those businesses who possess “PI” to address any third-party contracts where the third-party possesses or otherwise maintains PI on behalf of the business.

Let’s say you’re a large law firm who, by nature of the business, are in possession of a large amount of PI. Your firm processes hundreds or even thousands of cases each year. As each case comes to an end, the file gets boxed up and shipped out for storage for say, ten years. Contained in that box is the personal information of Massachusetts’ residents who were involved in the case. Your firm has used the same storage company for twenty years and so far things have seemingly been fine. (at least as far as you know) **NOTE: the “file” and the “box” could be, and probably are, electronic files as opposed to physical (paper) ones.

Under the regulations that come online today, your firm must now have, as part of its contract with the storage company, certain clauses or elements in that contract in order to comply with MA law. Specifically, the regulations require that the “owner” (see here: the large law firm) of the PI, must have a clause in their contract with the vendor (see here: storage company) that seeks to obtain the assurance that the vendor can protect the PI that it possess on behalf of the business.

The regulations require that owners/licensors of Personal Information of MA residents’ “oversee service providers” by selecting providers that are capable of maintaining appropriate security measures to protect PI and require by contract that the vendor implement and maintain such appropriate security measures to protect the PI. In addition, the contract should include a clause that requires the vendor, in the event of a loss or “breach” of that data, give notice to the owner as soon as is practicable and without reasonable delay. Cooperation between the owner of the PI and the vendor, or possessor of the PI is required as well. Cooperation is defined as vendor informing the owner of the breach; the date of the breach; and any steps taken by the vendor related to the breach. (M.G.L. c. 93H s. 3(a))

[ **NOTE: the above is not legal advice, and this blog post should not be considerer legal advice – if you have questions or concerns about this law, please consult competent legal counsel. ]

I suspect the large law firm who has been doing business with the storage company for twenty years will have no problem fixing up their contract. After all, the storage company wants their business.

But what about the smaller businesses who use an outside IT company to run their computer systems? Let’s say the IT company stores the client’s data on servers located in the IT company’s offices; a sort of “private cloud” arrangement since he also stores other clients’ data of these servers as well. Or what if the small business uses a behemoth like Amazon Web Services for their cloud storage of data? Will the small business be in the position to “oversee” Amazon’s internal security apparatus? These small businesses are the entities that need to be made aware of this regulation, but I fear that their education in this area is lacking.

I suppose the answers to the above questions will lie in the regulator’s definition of “oversee.” The law seems to define “oversee” as selecting entities that are capable of providing the appropriate security measures. Will having boilerplate language in your contract be enough? I guess we will have to wait and see for that answer. (Again, please consult a lawyer if you find yourself in this situation)

P.S.

March 1, 2012 is also a special date because it’s the first anniversary of the Massachusetts Data Privacy Law Blog. Its official launch, live on the Internet, was March 1, 2011… We’ve had over 11,000 visitors and several thousand are returning readers. I thank you for your interest in this blog. I try to keep it light, but at the same time convey interesting material.

Thanks for reading.

Your author,

John.