This post was also written by John L. Hines, Jr., Amy S. Mushahwar and Frederick Lah.
The Massachusetts Data Protection Regulations, 201 C.M.R. 17.00, (“Massachusetts Regulations”) establish minimum standards to be met in connection with safeguarding the personal information of Massachusetts residents. Personal information is defined as a resident’s first name and last name or first initial and last name in combination with the resident’s Social Security number, driver’s license number or state ID card number, or financial account number.
Under the Massachusetts Regulations, companies that own or license personal information must “oversee” service providers by requiring them by contract to “implement and maintain such appropriate security measures for personal information.” See 201 C.M.R. 17.03(2)(f). The Massachusetts Regulations provide a grandfather clause that deems any contract with a service provider entered into before March 1, 2010 to be in compliance, even if it does not have provisions related to adequate data security. This clause, though, expires March 1, 2012, which is quickly approaching. From that date forward, all contracts with service providers must be in compliance with the provision.
All companies—whether the owner/licensor of the information overseeing the service provider, or the service provider (who would also likely be considered a licensor)—need to ensure that any contract (new or existing) touching personal information contains a provision to implement and maintain appropriate safeguards. Such a representation should be accompanied with the requisite due diligence to ensure accuracy and the right to review/audit future compliance.
Contractual modification may prove to be harder for some companies, particularly those operating under medium- or long-term contracts that do not require that a servicer provider do all the things that the Massachusetts Regulations require. In this situation, good faith and cooperation may not always work. Still, you may be able to rely on contractual clauses requiring compliance with law to effectuate change. At the very least, you should communicate (and document) your expectation of compliance to the service providers.