Massachusetts Personal Information Data Security Regulations: Be Aware of 2012 Deadlines

Wednesday, March 07, 2012

By Terence P. McCourt and Justin F. Keith, Greenberg Traurig

March 1, 2012 marks a critical compliance date for businesses covered by the Massachusetts data security regulations.  Regulations implementing Massachusetts law defining standards to be met by businesses with access to “personal information” of any Massachusetts resident went into effect in 2010.  The regulations contain a two-year grace period for certain contracts entered into prior to March 1, 2010.  With the expiration of the grace period, new rules are now in effect for all “service provider” contracts.

Service Provider Contract 2012 Deadline

“Personal information” is defined as a Massachusetts resident’s first name and last name, or first initial and last name, combined with one of the following: (a) Social Security number, (b) driver’s license number or state-issued identification card number, or (c) financial account, credit card or debit card number.  A business is covered by the regulations if it “receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.”  Provided that this definition is met, an entity is covered by the law even if it does not maintain a place of business in Massachusetts.

A third party “service provider” is defined as any person or entity that has access to personal information through its provision of services to a business covered by the regulations.  The regulations require that covered entities have contracts with service providers pursuant to which the service providers agree to implement and maintain appropriate security measures to protect personal information consistent with Massachusetts law.

Contracts entered into prior to March 1, 2010 contained a two-year grace period.  However, with the expiration of the grace period, all service provider contracts must now be in compliance. 

Information Security Program Requirements

It should also be noted that, since 2010, any business subject to the regulations is required to create and implement a written comprehensive information security program (“WISP”) which, among other things, must:

  • Identify and assess all reasonably foreseeable internal and external security risks to the security, confidentiality and/or integrity of any record (electronic or paper) that contains personal information;
  • Evaluate and improve, where necessary, the effectiveness of current safeguards to limit identified risks, including the introduction of employee training and means for detecting and preventing security system failures;
  • Develop security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises;
  • Impose disciplinary measures for violations of the comprehensive security program rules; and
  • Prevent terminated employees from accessing records that contain personal information.

What Should Covered Businesses Do?

  • Covered businesses should ensure that they have in place a WISP-- a written information security program.
  • Covered businesses should train their employees on security policies related to the handling of personal information.
  • Covered businesses should identify all third party service providers with access to personal information maintained by the covered business, and ensure that compliant contracts are in effect.