January 25, 2012, 2:31 PM — All companies storing personal data on Massachusetts residents have just over a month to ensure that their contractors, suppliers, technology providers and other third parties comply with a provision of a state data breach law that went into effect in March 2010.
The law ( download PDF ) is designed to ensure that companies holding data on Massachusetts residents have certain security controls in place .
[ Free download: The law of unintended storage consequences ]
Over the past two years, most of the provisions of the bill have already gone into effect. The last one, which deals with third-party compliance, takes effect on March 1.
After that date, all companies with personal data on Massachusetts residents will be required to have specific language in third-party contracts that obligates their vendors to employ reasonable measures for protecting personal information.
The provision is aimed at ensuring that companies select and retain companies capable of adequately protecting customer data, said Socheth Sor, an associate at Edwards Wildman Palmer LLP in Hartford, Conn.
The law does not require businesses to go out and audit their third-parties for compliance, Sor said. It simply requires businesses to get a contractual assurance from their partners attesting to their ability to protect customer data in compliance with the state standards.
"If I was contracting with a third-party service provider, I would say 'Can I see your security policies?'" Sor said. "I would require by contract that they are capable of protecting my company's information."
Though companies are not required to audit third-party firms, they should reserve the right to do so in their contract language, Sor said.
They also need to include language requiring vendors and other partners to notify them immediately of any data breach. In addition, companies need to make sure in their contracts that vendors destroy or return all personal information that the company may have provided to them upon termination of the contract.
The Massachusetts data protection law applies to all businesses that store personal information on state residents, regardless of where the companies are based.
The rules require businesses to encrypt sensitive personal information on portable devices such as PDAs and laptops or on storage media such as memory sticks and DVDs. The rules also require encryption for all personal information transmitted over a public or wireless network.