Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Final phase of Mass. data protection law kicks in March 1

It requires companies to take measures to protect personal data of state residents

All companies storing personal data on Massachusetts residents have just over a month to ensure that their contractors, suppliers, technology providers and other third parties comply with a provision of a state data breach law that went into effect in March 2010.

The law ( download PDF ) is designed to ensure that companies holding data on Massachusetts residents have certain security controls in place .

Over the past two years, most of the provisions of the bill have already gone into effect. The last one, which deals with third-party compliance, takes effect on March 1.

After that date, all companies with personal data on Massachusetts residents will be required to have specific language in third-party contracts that obligates their vendors to employ reasonable measures for protecting personal information.

The provision is aimed at ensuring that companies select and retain companies capable of adequately protecting customer data, said Socheth Sor, an associate at Edwards Wildman Palmer LLP in Hartford, Conn.

The law does not require businesses to go out and audit their third-parties for compliance, Sor said. It simply requires businesses to get a contractual assurance from their partners attesting to their ability to protect customer data in compliance with the state standards.

"If I was contracting with a third-party service provider, I would say 'Can I see your security policies?'" Sor said. "I would require by contract that they are capable of protecting my company's information."

Though companies are not required to audit third-party firms, they should reserve the right to do so in their contract language, Sor said.

They also need to include language requiring vendors and other partners to notify them immediately of any data breach. In addition, companies need to make sure in their contracts that vendors destroy or return all personal information that the company may have provided to them upon termination of the contract.

The Massachusetts data protection law applies to all businesses that store personal information on state residents, regardless of where the companies are based.

The rules require businesses to encrypt sensitive personal information on portable devices such as PDAs and laptops or on storage media such as memory sticks and DVDs. The rules also require encryption for all personal information transmitted over a public or wireless network.

In addition, the law requires businesses to take reasonable steps to control logical and physical access to sensitive customer data and for limiting the amount of personal data they collect, store and share.

The rules were crafted by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) and were originally supposed to go into effect Jan. 1, 2009. The deadline was extended twice as a result of considerable resistance from businesses, many of whom were concerned about its provisions.

The third-party contract requirement about to take effect was one major sticking point. As originally written, the provision would have required businesses to take far more elaborate measures to ensure third-party compliance with the state law. The provision was heavily revised following strong protests from several industry groups and large companies, including Microsofr, Google, Target and Wal-Mart.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .

Read more about privacy in Computerworld's Privacy Topic Center.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: etwork, Google, LP, Topic, Wal-Mart
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Palm, privacy, security, storage
Latest Blog Posts
Whitepapers
  • Oracle Business Process Analysis Suite
    Careful analysis and continuous optimization of business processes delivers real competitive advantage. Conversely, a random approach to process design negatively impacts a company’s bottom line. This insight is one reason successful companies adopt business process management (BPM) as a way of aligning their business processes with business and customer requirements. Success with BPM eliminates the gap between business strategy and implementation. Business users are empowered to participate in all stages of the business process lifecycle. Closed-loop integration between modeling, execution, and monitoring enables continuous and holistic business process improvement.
    Learn more »
  • Business Process Management, Service-Oriented Architecture, and Web 2.0: Business Transformation or Train Wreck?
    As a result of more and more organisations adopting new technologies and business practices surrounding BPM, SOA, and Web 2.0, fundamental changes have arisen in the way IT and business stakeholders work together. Make this into an opportunity - read on.
    Learn more »
  • Enhancing Decision-Making, Cost-Efficiency, and Profitability With Predictive Analytics
    Today’s managers must always look at the past, present, and future. They need reports on past performance to improve operational efficiency. Business intelligence (BI) platforms such as Information Builders WebFOCUS, are providing a unified decision-support environment where managers can retrieve and analyze data about past, present, and future activities. In this paper, we will discuss the incorporation of predictive modeling capabilities into the WebFOCUS BI platform, and highlight how this advanced functionality can dramatically improve decision-making, thus reducing risk and costs while increasing revenue and profits.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments