Regulators are focusing more and more on how responsible organizations are when engaging third-party vendors. HIPAA has in place requirements for engaging business associates. The Connecticut Department of Insurance has requirements for reporting breaches caused by vendors. And, the Massachusetts Attorney General, through the Data Security Regulations, requires oversight of third-party service providers. This is no surprise since many studies suggest that over a third of breaches are caused by vendors.
Since March 1, 2010, businesses that handle personal information of Massachusetts residents have been addressing the requirements of Massachusetts 201 CMR 17.00 – Standards for the Protection of Personal Information of Residents of the Commonwealth[.pdf]. There are many requirements – from employing a comprehensive information security program to developing security policies for current and terminated employees. Additionally, organizations are required to include language in contracts with vendors who handle personal information of Massachusetts residents regarding the employment of appropriate safeguards. This has always been a requirement under 201 CMR 17.03(f)(2); however, there was a 2-year “safe harbor” for contracts that were entered into prior to March 1, 2010. On March 1, 2012, that “safe harbor” expires and all contracts with vendors who handle personal information of Massachusetts residents must require vendors to implement and maintain appropriate security measures for personal information.
Whether you are a vendor, or the organization providing the data to the vendor, you must have a Written Information Security Program (WISP) in place to be compliant under Massachusetts 201 CMR 17.00. If a breach occurs, the Massachusetts Attorney General must be notified and you will very likely be asked for a copy of your WISP. Generally, when we assist clients with the preparation of a WISP, we address both technical and administrative safeguards such as:
- employee training;
- sanction policies;
- regular monitoring of the implementation of the policies in place;
- risk assessments;
- breach response plans;
- access controls;
- anti-virus protections; and
- firewall protections.
Moreover, notwithstanding the requirements of the Massachusetts law, it is good practice to update old contracts to address issues that have evolved over the past few years related to privacy. Some of these include:
- independent audit of a vendor (e.g., American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements 16 (SSAE 16));
- cyber insurance coverage, including notification costs;
- pre-approval of the use of cloud services;
- pre-approval of the downstream sharing of data with sub-vendors; and
- compliance with local, state, and federal data security laws.
Whether or not you need to comply with the Massachusetts Data Security Regulations, now is a good time to take your dusty old contracts out of the drawer to see how they can be improved. Vendors should be reviewing their contracts, too – not just from a regulatory compliance standpoint, but to make sure they are not committing to something they are unable to deliver.