Data Privacy Update

February 17, 2012

Massachusetts regulations to protect consumer personal information
contain March 1, 2012 deadline.

The strict Massachusetts data privacy and security regulations (201 C.M.R. 17) that took effect March 1, 2010 are designed to protect personal information of Massachusetts residents (including the combination of an individual's name with financial, bank or credit card account, driver's license, or social security numbers). The regulations require companies handling this type of information to adopt a Comprehensive Written Information Security Program and to encrypt personal information on laptops and other portable devices (as well as data transmitted across public networks or wirelessly), among other administrative, technical, and physical safeguards. Please see our LawFlash, "Massachusetts Regulations Governing Protection of Consumer Information to Take Effect March 1, 2010" (Aug. 27, 2009) for a summary of these regulations.

Companies subject to these regulations must also take reasonable steps to ensure that their third-party service providers that will have access to this data will protect it in the same way. Regulators understood that companies might need time to obligate by contract certain vendors (those with whom they did business prior to March 1, 2010) to meet this standard, and gave them a period of time to amend those agreements. This compliance grace period ends March 1, 2012. By that date, companies should have contractual obligations with all existing vendors that handle such personal information requiring the vendors to protect the information as set out in the regulations.

Companies that rely on third-party service providers to receive, store, maintain, or process the personal information of Massachusetts residents should consider whether their agreements with those vendors sufficiently commit them to maintain relevant security measures. If the third-party service providers process this type of data for other companies, they likely have been meeting this standard since March 1, 2010, or shortly thereafter, but some older contracts may not technically obligate them to do so.

As the end of the grace period approaches, companies should check relevant contracts to see if they sufficiently address this issue. If not, such contracts should be amended this month. In many cases, amendments can be handled by a short, countersigned letter, but it is important that such a letter have the effect of a formal amendment to an existing agreement. In general, all contracts with vendors handling this kind of data should have appropriate data protection language. It is also good practice for companies to ensure that such contracts provide the right to audit the service provider's compliance with the Massachusetts regulations (including the right to receive a copy of the service provider's comprehensive written information security program), require that the service provider return or destroy all personal information that may have been provided to it upon the termination of the contract, and mandate that the service provider provide prompt notification in the event of a security breach.

Morgan Lewis has experience guiding businesses through new policies and programs to address the Massachusetts regulations, including the third-party service provider contractual language requirement and security concerns generally. We have also developed breach notification plans and assisted businesses in coping with the consequences of a data breach. For more information about the issues discussed in this LawFlash, please contact one of the following Morgan Lewis attorneys:

Todd S. Holbrook

Barbara Murphy Melby
Gregory T. Parks
Michael L. Pillion

Washington, D.C.
Ron N. Dreben
Joseph E. Washington