Home > Property & Casualty > Massachusetts Data Security Regulations March 1st deadline approaches

Massachusetts Data Security Regulations March 1st deadline approaches

Massachusetts has some of the nation’s most extensive requirements for the protection of personally identifiable information (PII), and on March 1, 2012, an additional provision will become effective. By that date, all companies subject to the Massachusetts Data Security Regulations must make sure that all of their service providers who have access to PII of Massachusetts residents are contractually obligated to comply with the Regulations by implementing appropriate security practices and procedures.

Many companies have been surprised to learn that they are even subject to Massachusetts’ Data Security Regulations. No matter where they are located, entities must comply with the Regulations if, in connection with employment or the provision of goods or services, they receive, process, store, maintain or otherwise have access to PII of Massachusetts.

Among many other requirements, entities subject to the Regulations were given the burden of providing for “downstream” compliance with the Regulations by their covered service providers. There are two facets to this burden. First, a company must perform appropriate due diligence on the service providers’ internal practices and procedures. The second facet involves ensuring that contracts with these service providers obligate them to comply with the Regulations.

The Regulations seek to ease the burden on covered companies by creating a “grace period” for contracts with covered service providers in existence on March 1, 2010 — the effectiveness date for the Regulations. All such contracts entered into after that date were required to impose the obligations described above, but companies were given until March 1, 2012, to update those older contracts with the compliance obligations. That grace period is about to end.

All entities subject to the Regulations should review each of their contracts with covered service providers. Furthermore, they should consult with their advisors to make sure that they are both complying with their legal obligations and implementing effective risk management practices with respect to their information security obligations and exposures.

About the Author

John Doernberg is a Vice President at WGA. He is responsible for developing relationships and serving as a resource for WGA clients, with a particular focus on privacy, information security and risk management issues. Before becoming an insurance broker in 1995, he practiced law for more than ten years at major firms.

617.646.0336   JDoernberg@wgains.com   Connect with John via LinkedIn


  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s