By March 1, 2012, companies with personal information of Massachusetts residents must amend their existing contracts with vendors that handle such information to require the vendors’ compliance with the Massachusetts data security regulations. This requirement applies to the personal information of all Massachusetts residents, regardless of whether they are customers, employees or others with whom the company comes into contact and regardless of in which state the data is kept.

Although the Massachusetts regulations do not specify the wording of the provisions that these contracts should include, companies should consider negotiating certain key privacy and data protection representations, warranties and covenants.

As many companies have learned, data breaches are expensive, in terms of actual costs to the company addressing notification obligations, as well as potential legal liability to others and negative publicity. According to a recent study by the Ponemon Institute, 39 percent of data breaches in 2010 involved third party service providers such as outsourcers, contractors, consultants and business partners. An important data breach prevention measure is to implement effective safeguards to protect personal information and to require one’s vendors to do the same. In addition to being sound risk mitigation, it may be required by law.

The Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) established what have become known as the Massachusetts data security regulations (201 CMR 17.00 et seq.) with the aim of reducing the risk of privacy breaches, including risks posed by vendor relationships. The Massachusetts regulations, which went into effect March 1, 2010, require any company, regardless of location, size or industry that possesses the personal information of a Massachusetts resident to adopt and implement a comprehensive written information security program (“WISP”). A WISP must include technical, physical, and administrative safeguards for the protection of personal information owned, licensed, received, stored, maintained, processed, or otherwise accessed by the company.

Please click here for a complete copy of the Advisory.