Most businesses that handle “personal information” of Massachusetts’ residents (i.e., a resident’s name and financial information, such as driver’s license, credit card number or social security number) must satisfy additional requirements of the Massachusetts data security regulations (201 CMR 17:00, et seq.) by March 1, 2012. The regulations, which took effect March 1, 2010, require businesses to have adequate protections in place to ensure that such personal information is not disclosed or used in an unauthorized manner.
Businesses must take further steps to comply with the regulations by ensuring that their service providers are also in compliance by March 1, 2012. Specifically, such businesses must have investigated the adequacy and appropriateness of service providers’ data security policies and practices. In addition, they must have contracts in place which demonstrate that they are in compliance with the regulations. Service providers may include office cleaning services, payroll companies, internet servers or host providers, or billing companies, as well as others.
Companies affected by this law should check their contracts with their service providers to determine whether the contracts comply with the regulations. If not, such contracts should be amended as soon as possible. Simply receiving a letter from your services providers stating that they are in compliance is not sufficient. It is advisable that the contracts with service providers include additional language to protect your business, such as the following:
- Include language allowing you the right to audit the service provider’s compliance with the regulations.
- Require the service provider to inform you of any breach of the regulations
- Include a clause that requires your provider to indemnify (pay you back) if a claim is made against you as a result of their actions.
- State that they must return or destroy personal information upon contract termination.