Last week, Massachusetts officials made yet another about face when it comes to data security requirements. An update from the law firm of Morrison and Foerster points out that the Office of Consumer Affairs and Business Regulation has once again added the service provider "due dilligence and contract requirement" to data security requirements. The update states:
The amended regulations have reintroduced the obligation that a business enter into contracts with its service providers to require the service providers to implement and maintain security measures that are consistent with the Massachusetts regulations and, in a new addition, any applicable federal regulation.
Why is this a big deal? Well, a little back story:
Last September, Massachusetts introduced data security requirements that required any organization that maintains personally identifiable information on Massachusetts residents to undertake "comprehensive measures to protect that information from unauthorized access, disclosure or misuse." The requirements, including encrypting mobile devices and certifying that service providers who had access to Massachusetts residents' data could adequately safeguard it, were to be enforced beginning Jan. 1, 2009.
Two months later, the general compliance deadline was extended from Jan. 1 to May 1, 2009. The deadline to encrypt "non-laptop mobile devices" was also extended to Jan. 1, 2010. Then, in February 2009, the Massachusetts Office of Consumer Affairs and Business Regulation relaxed the service-provider contract and certification requirements so that companies subject to the requirements only had to "take all reasonable steps" to ensure that its service providers could maintain the required safeguards. Express contract provisions to that effect, accompanied by written certifications, were no longer necessary.
Now, of course, the contract requirement is back.
If it helps any, the latest amendments do make a few concessions for businesses. For one, the general compliance deadline has been extended to March 2010. Secondly, the regulations provide a "grandfather clause" for service provider contracts entered before March 1, 2010. They will be deemed to comply even if they don't have an express provision requiring implementation of data security safeguards.
But Morrison Foerster warns that the grandfather clause isn't exactly clear, so keeping those compliance efforts at the top of the priority list is probably a good idea, even if you think your contract will be grandfathered in for now.