February 5, 2023

Volume XIII, Number 36

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).

February 03, 2023

Subscribe to Latest Legal News and Analysis

February 02, 2023

Subscribe to Latest Legal News and Analysis

Massachusetts Regulations to Protect Consumer Personal Information Contain March 1, 2012 Deadline. -Data Privacy Update

The strict Massachusetts data privacy and security regulations (201 C.M.R. 17) that took effect March 1, 2010 are designed to protect personal information of Massachusetts residents (including the combination of an individual's name with financial, bank or credit card account, driver's license, or social security numbers). The regulations require companies handling this type of information to adopt a Comprehensive Written Information Security Program and to encrypt personal information on laptops and other portable devices (as well as data transmitted across public networks or wirelessly), among other administrative, technical, and physical safeguards. Please see our LawFlash, "Massachusetts Regulations Governing Protection of Consumer Information to Take Effect March 1, 2010" (Aug. 27, 2009) for a summary of these regulations.

Companies subject to these regulations must also take reasonable steps to ensure that their third-party service providers that will have access to this data will protect it in the same way. Regulators understood that companies might need time to obligate by contract certain vendors (those with whom they did business prior to March 1, 2010) to meet this standard, and gave them a period of time to amend those agreements. This compliance grace period ends March 1, 2012. By that date, companies should have contractual obligations with all existing vendors that handle such personal information requiring the vendors to protect the information as set out in the regulations.

Companies that rely on third-party service providers to receive, store, maintain, or process the personal information of Massachusetts residents should consider whether their agreements with those vendors sufficiently commit them to maintain relevant security measures. If the third-party service providers process this type of data for other companies, they likely have been meeting this standard since March 1, 2010, or shortly thereafter, but some older contracts may not technically obligate them to do so.

As the end of the grace period approaches, companies should check relevant contracts to see if they sufficiently address this issue. If not, such contracts should be amended this month. In many cases, amendments can be handled by a short, countersigned letter, but it is important that such a letter have the effect of a formal amendment to an existing agreement. In general, all contracts with vendors handling this kind of data should have appropriate data protection language. It is also good practice for companies to ensure that such contracts provide the right to audit the service provider's compliance with the Massachusetts regulations (including the right to receive a copy of the service provider's comprehensive written information security program), require that the service provider return or destroy all personal information that may have been provided to it upon the termination of the contract, and mandate that the service provider provide prompt notification in the event of a security breach.

Copyright © 2023 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume II, Number 51

About this Author

Barbara Melby, Morgan Lewis, data privacy and cybersecurity lawyer

Barbara Melby has been active in the outsourcing and technology transaction legal market for the last 25 years. As leader of the firm’s technology, outsourcing & commercial transactions practice, she represents clients in such complex transactions as outsourcing, strategic alliances, technology and data-related agreements, and other services transactions. She also advises businesses on privacy and security issues that arise in transactions involving sensitive data and technologies.

Gregory Parks, privacy and cybersecurity lawyer, Morgan Lewis

Gregory T. Parks counsels and defends retail companies and other consumer facing clients in matters related to privacy and cybersecurity, class actions and Attorney General actions, consumer protection laws, loyalty and gift card programs, retail operations, payment mechanisms, product liability, waste management, shoplifting prevention, compliance, antitrust, and commercial disputes. If it is important to a retail company, Greg makes it his business to know it. He handles all phases of litigation, trial, and appeal work arising from these and other areas. Greg is the co...

Joseph Washington, Morgan Lewis, Intellectual property lawyer
Senior Attorney

Joseph E. Washington guides clients through the intellectual property matters they face in today’s global, connected environment, including prosecution, licensing, and litigation. These include disputes regarding trademarks, domain names, copyrights, unfair competition, and Internet and computer law. Clients involved with corporate transactions turn to him for guidance on the IP aspects of their deals, including trademark, copyright, and software licenses and related agreements, as well as privacy issues and data protection.

Joseph also counsels...

Michael Pillion, Morgan Lewis, Litigation Attorney

Michael L. Pillion brings more than 30 years of experience navigating high-stakes transactions to his technology, outsourcing, and commercial transactions practice. He has a diverse client base that spans the health insurance, life sciences, energy, financial services, and real estate industries. He counsels clients in structuring, negotiating, realigning, and terminating information technology (IT) outsourcing and business process outsourcing (BPO) transactions, technology transactions including software as a service (SaaS) and cloud deals, complex commercial...

Ron Dreben, intellectual property lawyer, Morgan Lewis

Ron N. Dreben advises clients on intellectual property and technology issues in business transactions. He provides advice in connection with mergers, acquisitions, and licensing arrangements, as well as trademark, copyright, trade secret, and related IP law. A Certified Information Privacy Professional (CIPP), Ron helps companies address privacy issues and respond to security breaches and advises US companies on the relevance of the EU Data Directive. Ron has experience negotiating with most of the leading technology product and service vendors.