Commentary Addressing Risks and Opportunities Through the Lifecycle of Data, Technology, Advertising and Innovation

Data Counsel

Home | Data Counsel

Regulators are focusing more and more on how responsible organizations are when engaging third-party vendors. &nbsp;HIPAA has in place requirements for engaging business associates.&nbsp; The Connecticut Department of Insurance has requirements for reporting breaches caused by vendors.&nbsp; And, the Massachusetts Attorney General, through the Data Security Regulations, requires oversight of third-party service providers.&nbsp; This is no surprise since many studies suggest that over a third of breaches are caused by vendors.&nbsp;
Since March 1, 2010, businesses that handle personal information of Massachusetts residents have been addressing the requirements of <a href="http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf" target="_blank" rel="noopener">Massachusetts 201 CMR 17.00 &ndash; Standards for the Protection of Personal Information of Residents of the Commonwealth</a>[.pdf].&nbsp; There are many requirements &ndash; from employing a comprehensive information security program to developing security policies for current and terminated employees.&nbsp; Additionally, organizations are required to include language in contracts with vendors who handle personal information of Massachusetts residents regarding the employment of appropriate safeguards.&nbsp; This has always been a requirement under 201 CMR 17.03(f)(2); however, there was a 2-year &ldquo;safe harbor&rdquo; for contracts that were entered into prior to March 1, 2010.&nbsp; On March 1, 2012, that &ldquo;safe harbor&rdquo; expires and all contracts with vendors who handle personal information of Massachusetts residents must require vendors to implement and maintain appropriate security measures for personal information.
Whether you are a vendor, or the organization providing the data to the vendor, you must have a Written Information Security Program (WISP) in place to be compliant under Massachusetts 201 CMR 17.00.&nbsp; If a breach occurs, the Massachusetts Attorney General must be notified and you will very likely be asked for a copy of your WISP.&nbsp; Generally, when we assist clients with the preparation of a WISP, we address both technical and administrative safeguards such as:
<ul>
<li>encryption;</li>
<li>employee training;</li>
<li>sanction policies;</li>
<li>regular monitoring of the implementation of the policies in place;</li>
<li>risk assessments;</li>
<li>breach response plans;</li>
<li>access controls;</li>
<li>anti-virus protections; and&nbsp;</li>
<li>firewall protections.</li>
</ul>
Moreover, notwithstanding the requirements of the Massachusetts law, it is good practice to update old contracts to address issues that have evolved over the past few years related to privacy.&nbsp; Some of these include:
<ul>
<li>independent audit of a vendor (e.g., American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements 16 (SSAE 16));</li>
<li>cyber insurance coverage, including notification costs;</li>
<li>pre-approval of the use of cloud services;</li>
<li>pre-approval of the downstream sharing of data with sub-vendors; and</li>
<li>compliance with local, state, and federal data security laws.</li>
</ul>
Whether or not you need to comply with the Massachusetts Data Security Regulations, now is a good time to take your dusty old contracts out of the drawer to see how they can be improved.&nbsp; Vendors should be reviewing their contracts, too &ndash; not just from a regulatory compliance standpoint, but to make sure they are not committing to something they are unable to deliver.
&nbsp;

All Contracts with Vendors Who Handle Personal Information of Massachusetts Residents Must Have Appropriate Safeguards in Place by March 1, 2012