Legal Update
Feb 15, 2012
Massachusetts Regulations Requires Service Provider Contracts To Include Security Provisions By March 1, 2012
Companies that provide “personal information”1 regarding Massachusetts residents in electronic or written form to a service provider will need to make sure that their service contracts require the service provider to use appropriate security measures to protect the information.
Massachusetts’ “Standards for the Protection of Personal Information of Residents of the Commonwealth,” 201 CMR 17, originally went into effect in 2010 and required companies handling personal information regarding Massachusetts residents to establish a comprehensive information security program. One final aspect of the regulation goes into effect on March 1, 2012, and provides that a company must require “third-party service providers by contract to implement and maintain such appropriate security measures for personal information.” (201 CMR 17.03 (2)(f)2) While the regulation is not precise as to the specific provisions a contract must contain, we believe that reasonable measures a service provider may implement include maintaining appropriate technical, physical and organizational security measures to protect the personal information against unauthorized or accidental destruction, alteration or disclosure; accidental loss; unauthorized access; misuse; unlawful handling; or damage.
While this is a Massachusetts regulation, it applies to any business that processes personal information regarding a Massachusetts resident, so it would apply to any company that employs Massachusetts residents (wherever they work) and many companies that do business with Massachusetts residents.
1Personal information, a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. (201 CMR 17.03 (2)(f)2)