Home > Regions > North America > Data Privacy and Network Security Alert: The clock is ticking…

Data Privacy and Network Security Alert: The clock is ticking…

As we previously wrote about, on March 1, 2010, Massachusetts enacted its “Standards for the Protection of Personal Information (PI) of Residents of the Commonwealth” (201 CMR 17.00). The Massachusetts PI Standards contain many requirements for organizations that own or license PI of Massachusetts residents. Irrespective of location, an entity must comply if it receives, stores, maintains, processes or has access to PI of Massachusetts residents. Besides having a Written Information Security Program (WISP) and detailed computer system safeguards in place, organizations are required to include provisions in vendor contracts that set forth the vendor’s obligation to maintain appropriate security measures for PI. This is not a new requirement under the Massachusetts PI Standards, rather there was a two-year “grandfather provision” for vendor contracts entered into prior to March 1, 2010. Contracts with third party service providers entered into after March 1, 2010 have been and continue to be required to include a representation of the vendor’s compliance. The two-year “grandfather provision,” however, is set to expire on March 1, 2012 and all vendor contracts must now be compliant. 

Under the Massachusetts PI Standards, entities owning or licensing Massachusetts PI must ensure that their vendors are in compliance. First, organizations must “tak[e] reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information.” Second, organization must “requir[e] such third-party service providers by contract to implement and maintain such appropriate security measures for personal information.”

If any of your vendors receive, store, handle, access, maintain or process PI, that you own or license, of at least one Massachusetts resident, your vendor contracts must be revised to include a provision wherein the vendor represents that it has appropriate safeguards in place. This means that the vendors must have a WISP and have detailed computer system safeguards, including appropriate encryption on laptops and electronic devices containing this PI. If a breach occurs, you can guarantee that the Massachusetts Attorney General will request the WISPs of the entity and its vendors.

Now is the time to locate, dust off and review your vendor contracts. Regardless of when they were executed, all third-party service provider agreements must be brought into compliance by March 1, 2012. It is also the perfect opportunity to review (and update) other terms in your vendor contracts.

If you are a third-party service provider, take advantage of this opportunity to highlight your compliance with the Massachusetts PI Standards. Your compliance may set you apart from the competition when marketing your services to organizations which will now be required to select and retain vendors that are capable of maintaining appropriate security measures to protect PI.

If you have any questions, please contact:

James J. Giszczak
248.220.1354
jgiszczak@mcdonaldhopkins.com

Dominic A. Paluzzi
248.220.1356
dpaluzzi@mcdonaldhopkins.com

or any of our Data Privacy and Network Security attorneys by clicking on the link below:

Data Privacy and Network Security

McDonald Hopkins counsels businesses and organizations regarding all aspects of data privacy and network security, including proactive compliance with the numerous state, federal and private data security regulations (including PCI DSS and HITECH) relative to personal information and protected health information, training of employees and preventative measures to decrease the risk of data theft. We also counsel businesses and organizations through the data breach response process and coordinate notifications to affected individuals and state attorneys general, as well as advising on media related issues. Our attorneys can help you properly assess your risks to ensure compliance. After you complete the brief McDonald Hopkins Data Privacy and Network Security Review, your company will be provided with an assessment of the required areas of compliance which have the greatest need of attention and improvement.

Carl J. Grassi, President
600 Superior Avenue, East, Suite 2100, Cleveland, Ohio 44114
Chicago
312.280.0111
Fax: 312.280.8232
Cleveland
216.348.5400
Fax: 216.348.5474
Columbus
614.458.0025
Fax: 614.458.0028
Detroit
248.646.5070
Fax: 248.646.5075
Miami
1.305.704.3990
Fax: 1.305.704.3999
West Palm Beach
561.472.2121
Fax: 561.472.2122
IRS CIRCULAR 230 DISCLOSURE: To ensure compliance with requirements imposed by the Internal Revenue Service, we inform you that any tax advice contained in this communication (including any attachments), was not intended or written to be used, and cannot be used, by any taxpayer for the purpose of (1) avoiding any penalties under the Internal Revenue Code or (2) promoting, marketing or recommending to another party any transaction matter addressed herein.

© 2012 McDonald Hopkins LLC All Rights Reserved. This Alert is designed to provide current information for our clients, friends and their advisors regarding important legal developments. The foregoing discussion is general information rather than specific legal advice. Because it is necessary to apply legal principles to specific facts, always consult your legal advisor before using this discussion as a basis for a specific action.