Massachusetts Data Protection Law: Third-Party Provision Effective March 1

By Bruce E. H. Johnson

Effective March 1, 2012, any company, wherever located, that is holding the “personal information” of Massachusetts residents must amend its existing vendor contracts to require compliance with Massachusetts data security regulations. 201 CMR 17.03 (f)(2).

This requirement for contracts with third-party vendors applies to the personal information of all Massachusetts residents, including customers, employees and others. The data security rules require businesses to encrypt sensitive personal information on Massachusetts residents that is stored on portable devices such as PDAs and laptops or on storage media such as memory sticks and DVDs. Any personal information that is transmitted over a public or wireless network must also be encrypted.

If you own or license personal information about Massachusetts residents, you should ensure you comply with the Massachusetts law. Please feel free to consult with a member of DWT’s PrivSec practice group regarding this issue.

To read more about the Massachusetts law, please visit our Nov. 17, 2008 advisory here.

Trackbacks (0) Links to blogs that reference this article Trackback URL
http://www.privsecblog.com/admin/trackback/271510
Comments (0) Read through and enter the discussion with the form at the end
Post A Comment / Question Use this form to add a comment to this entry.







Remember personal info?
Send To A Friend Use this form to send this entry to a friend via email.