February 13, 2012

The clock is ticking...

All contracts with vendors storing, handling or accessing Massachusetts Personal
Information must be revised by March 1, 2012

As we previously wrote about, on March 1, 2010, Massachusetts enacted its “Standards for the Protection of Personal Information (PI) of Residents of the Commonwealth” (201 CMR 17.00). The Massachusetts PI Standards contain many requirements for organizations that own or license PI of Massachusetts residents. Irrespective of location, an entity must comply if it receives, stores, maintains, processes or has access to PI of Massachusetts residents. Besides having a Written Information Security Program (WISP) and detailed computer system safeguards in place, organizations are required to include provisions in vendor contracts that set forth the vendor’s obligation to maintain appropriate security measures for PI. This is not a new requirement under the Massachusetts PI Standards, rather there was a two-year “grandfather provision” for vendor contracts entered into prior to March 1, 2010. Contracts with third party service providers entered into after March 1, 2010 have been and continue to be required to include a representation of the vendor’s compliance. The two-year “grandfather provision,” however, is set to expire on March 1, 2012 and all vendor contracts must now be compliant.

Under the Massachusetts PI Standards, entities owning or licensing Massachusetts PI must ensure that their vendors are in compliance. First, organizations must “tak[e] reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information.” Second, organization must “requir[e] such third-party service providers by contract to implement and maintain such appropriate security measures for personal information.”

If any of your vendors receive, store, handle, access, maintain or process PI, that you own or license, of at least one Massachusetts resident, your vendor contracts must be revised to include a provision wherein the vendor represents that it has appropriate safeguards in place. This means that the vendors must have a WISP and have detailed computer system safeguards, including appropriate encryption on laptops and electronic devices containing this PI. If a breach occurs, you can guarantee that the Massachusetts Attorney General will request the WISPs of the entity and its vendors.

Now is the time to locate, dust off and review your vendor contracts. Regardless of when they were executed, all third-party service provider agreements must be brought into compliance by March 1, 2012. It is also the perfect opportunity to review (and update) other terms in your vendor contracts.

If you are a third-party service provider, take advantage of this opportunity to highlight your compliance with the Massachusetts PI Standards. Your compliance may set you apart from the competition when marketing your services to organizations which will now be required to select and retain vendors that are capable of maintaining appropriate security measures to protect PI.

If you have any questions, please contact:

James J. Giszczak


Dominic A. Paluzzi


or any of our Data Privacy and Network Security attorneys by clicking on the link below:  

Data Privacy and Network Security

McDonald Hopkins counsels businesses and organizations regarding all aspects of data privacy and network security, including proactive compliance with the numerous state, federal and private data security regulations (including PCI DSS and HITECH) relative to personal information and protected health information, training of employees and preventative measures to decrease the risk of data theft. We also counsel businesses and organizations through the data breach response process and coordinate notifications to affected individuals and state attorneys general, as well as advising on media related issues. Our attorneys can help you properly assess your risks to ensure compliance. After you complete the brief McDonald Hopkins Data Privacy and Network Security Review, your company will be provided with an assessment of the required areas of compliance which have the greatest need of attention and improvement.

Carl J. Grassi, President
600 Superior Avenue, East, Suite 2100, Cleveland, Ohio 44114