New Requirements for Companies with Personal Information of MA Residents

It is important to note that these regulations have had a national effect, and, to a degree, are driving the data security policy discussion. Typically, companies apply the data security measures they have implemented to comply with the Massachusetts regulations to all personal information they collect, not just to data of Massachusetts residents, as it can be difficult or impossible to cull out Massachusetts personal information. It is also now common to see the kinds of provisions listed above in many contract negotiations.

Theodore P. Augustinos serves as co-chair of the Edwards Wildman Palmer LLP interdisciplinary Privacy and Data Protection Group in the firm's Hartford, CT, office. He may be reached at [email protected]. Socheth Sor is a member of the Privacy and Data Protection Group in the firm's Hartford office. She may be reached at [email protected].

Effective March 1, 2012, companies with personal information of Massachusetts residents must amend their existing contracts with vendors that handle such information to require the vendors' compliance with the Massachusetts data security regulations. This requirement applies to the personal information of all Massachusetts residents, regardless of whether they are customers, employees or others with whom the company comes into contact and regardless of in which state the data are kept.

Massachusetts Data Security Regulations

The Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) established what have become known as the Massachusetts data security regulations (201 CMR 17.00 et seq.) with the aim of reducing the risk of privacy breaches, including risks posed by vendor relationships. These regulations, which went into effect March 1, 2010, require any company, regardless of location, size or industry that possesses the personal information of a Massachusetts resident to adopt and implement a comprehensive written information security program (“WISP”). A WISP must include technical, physical, and administrative safeguards for the protection of personal information owned, licensed, received, stored, maintained, processed, or otherwise accessed by the company. As further discussed below, among the specific requirements of the Massachusetts regulations is the requirement to protect personal information handled by vendors.

As defined by the Massachusetts regulations, personal information means an individual's first name and last name or first initial and last name in combination with any one or more of the following: 1) Social Security number; 2) driver's license state-issued identification card number; or 3) financial account number or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to the financial account.

Although the Massachusetts regulations only apply to companies possessing the personal information of Massachusetts residents, a growing number of companies have created or adapted their WISP not only to meet the requirements under the Massachusetts regulations, but also to cover all personal information they maintain, regardless of the state of residence. The rationale is that it can be difficult or impossible for some companies to cull out Massachusetts personal information from various databases, or corporations see it as unfair to treat employee data from one state differently than that of another.

Protecting Information Shared with Vendors

As many companies have learned, data breaches are expensive, in terms of actual costs to the company addressing notification obligations, as well as potential legal liability to others and negative publicity. According to a recent study by the Ponemon Institute, 39% of data breaches in 2010 involved third-party service providers such as outsourcers, contractors, consultants and business partners. An important data breach prevention measure is to implement effective safeguards to protect personal information and to require one's vendors to do the same. In addition to being sound risk mitigation, it may be required by law.

To reduce the risk of data breaches involving third-party service providers, the Massachusetts regulations require companies to take reasonable measures to select vendors that are capable of maintaining appropriate security measures to protect personal information. In addition, companies must enter into contracts with vendors to require them to implement and maintain security measures in compliance with the Massachusetts regulations. All new vendor contracts were required to meet this requirement as of March 1, 2010. For contracts that had been entered into before March 1, 2010, companies are deemed to be in compliance with this requirement if they were amended by March 1, 2012.

Although the Massachusetts regulations do not specify the wording of the provisions that these contracts should include, other than compliance with the Massachusetts regulations and any applicable federal regulations, companies should consider negotiating certain key privacy and data protection representations, warranties and covenants, including those that provide the following:

• The vendor must comply with the Massachusetts regulations and other applicable federal and state privacy and data security requirements;
• The company has the right to evaluate or audit the vendor periodically to ensure its compliance with applicable laws;
• The vendor contractually requires its vendors to comply with applicable privacy and data security requirements;
• The vendor provides the company with immediate notification of an actual or potential breach involving personal information shared with the vendor;
• The vendor returns or appropriately destroys all of the company's personal information in its possession at the termination of the contract, to the extent feasible; and
• The vendor agrees to indemnify the company and hold it harmless against any and all losses, damages and expenses, including the costs of any
  investigation and computer forensic costs, resulting from a data breach caused by the vendor or its vendors.

Exterritorial Effect of the Massachusetts Regulations

These requirements apply to all companies possessing the personal information of Massachusetts residents. Companies that are not technically within the scope of the Massachusetts regulations would be well advised to consider amending their contracts with vendors to include the provisions outlined above, as part of their efforts to reduce the risk of data breaches. As a result of these provisions, vendors will be contractually required to implement their own WISPs, and consider how to adjust or limit their exposure, including their own pass-through obligations to sub-vendors.

The Massachusetts regulations are unique. Other states have laws or regulations that require companies to have reasonable or appropriate security measures to protect personal information, but generally they currently offer little guidance as to what specific security measures are required, or how much security is enough. In addition, they do not require companies to mandate vendor compliance by contract. There are, however, federal requirements such as the FTC's Safeguards Rule obligating companies to ensure by contract that their vendors have appropriate measures to protect personal information. In fact, the OCABR modeled its vendor provision after the FTC's Safeguards Rule.