March 1 Deadline for Companies and Vendors with Massachusetts Personal Information

By March 1, 2012, companies with personal information of Massachusetts residents must amend their existing contracts with vendors that handle such information to require the vendors’ compliance with the Massachusetts data security regulations. This requirement applies to the personal information of all Massachusetts residents, regardless of whether they are customers, employees or others with whom the company comes into contact and regardless of in which state the data is kept.

Although the Massachusetts regulations do not specify the wording of the provisions that these contracts should include, companies should consider negotiating certain key privacy and data protection representations, warranties and covenants.

As many companies have learned, data breaches are expensive, in terms of actual costs to the company addressing notification obligations, as well as potential legal liability to others and negative publicity. According to a recent study by the Ponemon Institute, 39 percent of data breaches in 2010 involved third party service providers such as outsourcers, contractors, consultants and business partners. An important data breach prevention measure is to implement effective safeguards to protect personal information and to require one’s vendors to do the same. In addition to being sound risk mitigation, it may be required by law.

The Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) established what have become known as the Massachusetts data security regulations (201 CMR 17.00 et seq.) with the aim of reducing the risk of privacy breaches, including risks posed by vendor relationships. The Massachusetts regulations, which went into effect March 1, 2010, require any company, regardless of location, size or industry that possesses the personal information of a Massachusetts resident to adopt and implement a comprehensive written information security program (“WISP”). A WISP must include technical, physical, and administrative safeguards for the protection of personal information owned, licensed, received, stored, maintained, processed, or otherwise accessed by the company.

As defined by the Massachusetts regulations, personal information means an individual’s first name and last name or first initial and last name in combination with any one or more of the following: (a) Social Security number; (b) driver’s license state-issued identification card number; or (c) financial account number or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to the financial account.

Although the Massachusetts regulations only apply to companies possessing the personal information of Massachusetts residents, a growing number of companies have created or adapted their WISP not only to meet the requirements under the Massachusetts regulations, but to cover all personal information they maintain, regardless of the state of residence. The rationale is that it can be difficult or impossible for some companies to cull out Massachusetts personal information from various databases, or corporations see it as unfair to treat employee data from one state differently than that of another.

To reduce the risk of data breaches involving third party service providers, the Massachusetts regulations require companies to take reasonable measures to select vendors that are capable of maintaining appropriate security measures to protect personal information. In addition, companies must enter into contracts with vendors to require them to implement and maintain security measures in compliance with the Massachusetts regulations. All new contracts effective after March 1, 2010 must meet this requirement. For contracts entered into before March 1, 2010, companies are deemed to be in compliance with this requirement if they are amended by March 1, 2012.

Thus, companies should consider whether their vendor contracts and amendments should contain several key provisions, including representations, warranties, and covenants providing the following:

• The vendor must comply with the Massachusetts regulations and other applicable federal and state privacy and data security requirements;
• The company has the right to evaluate or audit the vendor periodically to ensure its compliance with applicable laws;
• The vendor contractually requires its vendors to comply with applicable privacy and data security requirements;
• The vendor provides the company with immediate notification of an actual or potential breach involving personal information shared with the vendor;
• The vendor returns or appropriately destroys all of the company’s personal information in its possession at the termination of the contract, to the extent feasible; and
• The vendor agrees to indemnify the company and hold it harmless against any and all losses, damages and expenses, including the costs of any investigation and computer forensic costs, resulting from a data breach caused by the vendor or its sub-vendors.

Although these requirements only apply to companies possessing the personal information of Massachusetts residents, companies that are not within the scope of the Massachusetts regulations should nonetheless consider amending their contracts with vendors to include the provisions outlined above, as part of efforts to reduce the risk of data breaches. Vendors, on the other hand, will need to implement their own WISPs, and consider how to adjust or limit their exposure, including their own pass-through obligations to sub-vendors.

As indicated above, the Massachusetts regulations are unique. Other states have laws or regulations that require companies to have reasonable security measures to protect personal information, but generally such laws currently do not specify required elements for protection, and do not require companies specifically to mandate vendor compliance by contract. There are, however, federal requirements such as the FTC’s Safeguards Rule obligating companies to ensure by contract that their third party service providers have appropriate measures to protection personal information. In fact, the OCABR modeled its vendor provision after the FTC’s Safeguards Rule.

It is important to note that these regulations have had a national effect, and, to a degree, are driving the data security policy agenda in some respects. Often, companies apply the data security measures they have implemented to comply with the Massachusetts regulations to all personal information they collect, not just to data of Massachusetts residents, as it can be problematic to separate out Massachusetts personal information. It is also now common to see the kinds of provisions listed above in many contract negotiations.