Does
your company:
- Use a
payroll service to pay employees?
- Use a
third party to administer retirement plans?
- Offer
employees various types of insurance, such as health, life, and disability?
- Process
credit card orders?
- Store
data on third-party servers or in a cloud computing environment?
- Entrust
third-party vendors or couriers to transport, maintain, store, or otherwise
handle your secure personal identifying data?
If so,
we urge you to note the importance of March 1, 2012. By March 1, all persons or entities that own
or license the personally identifying information of a Massachusetts resident
must contractually require their vendors to comply with the Massachusetts data
security regulations (201 CMR 17.00, et seq.).
The March 1 deadline represents the final phase of implementation of the
Massachusetts data security regulations which became effective in early
2010.
The
mandate applies to in-state and out-of-state businesses alike. Whether yours is a multinational
conglomerate, a closely held business, or a non-governmental association, it
must comply with the new data security rules if (1) it receives, stores,
maintains, processes, or has access to the "personal information" of
a Massachusetts resident, and (2) does so "in connection with the
provision of goods or services or in connection with employment."
The
regulations define "personal information" to mean either an
individual's first name and last name, or the individual's first initial and
last name used in combination with any of the following: (a) social security
number, (b) state-issued driver's
license or identification card number, or (c) financial account number, credit
card number, or debit card number-whether
or not these numbers are associated with any security code, access code,
or password that would permit access to the account.
Specifically,
the Massachusetts regulations require that every such person, non-governmental
association, or company with such information, regardless of primary location
or size, must develop and implement a comprehensive written information
security program (WISP). The
Massachusetts regulations require that each WISP include specific technical,
physical, and administrative provisions to effectively protect the personal
information held by that entity.
The
regulations also require that each such business take reasonable steps to
monitor its third-party service providers that collect, maintain, or handle the
personal information, to ensure that the providers are capable of maintaining
the security of that information in
compliance with the law. As of March 1,
2012, that vetting process includes the requirement that third-party providers
be contractually bound to comply with the law and to develop and implement
their own WISP.
A
person or company that fails to comply may be subject to civil damages,
including potentially triple damages under Massachusetts consumer protection
laws, compound liability for data breach by a vendor, and even class action
liability.
What
Must You Do?
Review
your company's contracts with vendors and third-party service provider service
providers. By March 1, 2012, all such contracts must bind the provider to
comply with the data privacy rules. Such contracts must be amended to include
specific language requiring the provider's compliance, including provisions
ensuring that:
- Providers
agree to comply with Massachusetts data privacy regulations
- All
third-party vendors engaged by the providers will comply with the regulations
- Providers
put in place process and protocols for notification in case of a data privacy
breach
- Providers
may be audited for compliance
You may
even want to try to negotiate a provision ensuring that providers will
indemnify your company for losses resulting from non-compliance or a data
breach by the providers or their subcontractors.
If your
company provides products or services to other businesses, you may be facing an
influx of requests to amend existing contracts by adding language confirming your
company's compliance with the data privacy rules. As you would with other legal documents, you
should have experienced counsel review such requests. In particular, do not be caught unawares by a
company that tries to use the March 1 deadline as an opportunity to expand your
company's liability for a security breach.
The regulations require only that a business contractually bind its
vendors to comply with the Massachusetts regulations. Some companies are seeking to negotiate
additional indemnification provisions or liability-expanding language that may
burden your company.
Attorneys
in Prince Lobel's Data Privacy and Security Practice Group have experience
helping the firm's clients develop and implement written information security
programs, and can also counsel you as you consider amendments to your contracts
with vendors and business partners.
If you
would like assistance creating or revising any of your existing third-party
vendor contracts, or if you have any questions about the information presented
here, please contact firm partner Peter J. Caruso II, the author of this Alert,
at 617 456 8034 or pcarusoii@PrinceLobel.com, or any of our other attorneys in
the firm's Data Privacy and Security Practice Group.
