Critical Privacy Regulation Deadline Looms

Companies sharing personal information with third party service providers take note: Your agreements must comply with the so-called Massachusetts data security regulations by March 1. 

“The Massachusetts Office of Consumer Affairs and Business Regulation adopted new rules for securing data in 2010 in response to a rapid increase in data breaches,” says Socheth Sor, a Certified Information Privacy Professional and an attorney at Edwards Wildman Palmer LLP (Hartford, Conn.), who advises clients on privacy issues. “One aim of the regulations was to address the nearly 40 percent of data breaches that involve third-party service providers such as contractors, consultants and business partners.” 

Sor notes that even though the regulations only apply to companies holding the personal information of Massachusetts residents, all companies would be wise to ensure their vendors are capable of protecting the personal information companies share with them.  By the March 1, 2012 deadline, all vendor contracts for companies holding the personal information of Massachusetts residents, including those entered into before the March 1, 2010 effective date of the regulations, must be in compliance with the new rules. 

“Compliance includes ensuring that vendors are capable of maintaining appropriate security measures to protect personal information,” says Sor. “Companies must also have contracts with vendors to confirm the vendors' compliance with the Massachusetts regulations.” 

Sor is available to discuss what all companies, regardless of where they operate in the U.S., should know about the Massachusetts data security regulations, and how to ensure compliance.  [01/20/2012]