Massachusetts Data Security Regulations Amended Again: Employers, Retailers, and Vendors Likely Under Strict Controls

11 November 2009 Publication

Legal News Alert: Privacy, Security & Information Management

On November 4, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) announced final regulations (201 CMR 17.00) prescribing how entities owning or processing personal information of Massachusetts residents must protect that data. The final regulations and the technical changes that they include will take effect on March 1, 2010. The most significant changes offer clarification of when companies must apply the specific rules to contracts with service providers.

As we have indicated in two prior Foley Legal News Alerts, the data security regulations promulgated by the OCABR are a result of the Commonwealth’s breach notification legislation in 2007. Unlike most jurisdictions, which are either silent on the topic of specific policy and technical requirements or require the use of “reasonable” steps to protect the data, Massachusetts has developed a series of policy and technical requirements applicable to “personal information” as defined by the law. Because the OCABR data security requirements spring from an identity theft law, personal information is defined in terms of first name or initial plus last name and any combination of familiar identifiers such as social security number, drivers license number, or other data such as financial account information. The core of the data security regulations is the mandate of a comprehensive information security program — a program, not simply a policy — as well as the encryption of laptops and other portable devices, among other requirements.

The main modifications, announced on November 4, 2009, include: 1) the addition of the word “stores” to the definitions of “Owns or Licenses” and “Service Provider,” and 2) clarification of relevant dates for conformance of service provider contracts. Addition of the term “stores” would appear to have relatively little practical impact as the rules would have applied to anyone who “receives, maintains, processes, or otherwise has access to personal information….” Nonetheless, basic storage of data — even without access to the data — is a service that could result in loss. Likewise, in the definition of service provider, the definition now reads “any person that receives, stores, maintains, processes, or otherwise is permitted to access personal information through its provision of services directly to a person that is subject to this regulation.” The most likely entities affected by this expansion will be the subset of service providers that store but otherwise do not access the data in any way.

Of broader significance for firms taking steps to comply with these sweeping regulations is the clarification that contracts in effect on March 1, 2010, will be deemed to be compliant until March 1, 2012, even if they do not include the Commonwealth’s requirements. However, after the March 1, 2010 date, any new contracts or renewals of existing contracts must incorporate particular security measures for personal information. Therefore, a service provider agreement dated January 1, 2009, with a four year term need not be modified by March 1, 2010, but it must be updated before March 1, 2012, even though it has not come up for renewal.

The OCABR anticipates no future modifications to the regulations, although time will tell. The challenge remains for companies to become compliant themselves and to organize their service providers within the appropriate deadlines. Given the publicity surrounding these regulations, it is unlikely that the Massachusetts Attorney General, enforcer of the regulations, will have much sympathy for those not in compliance, regardless of where on the globe the personal information of Massachusetts residents is held.

Europeans have become accustomed to these types of prescriptive privacy and data security rules over the last few years. In the United States, this constitutes a new trend as Massachusetts, Nevada, and Minnesota, among others, begin to prescribe data security standards. The Massachusetts rule comes into effect on March 1, 2010, and apply regardless of whether the data is held in Massachusetts, California, or anywhere else. Therefore, internal data security reviews should start in earnest now.

Links to Other Relevant Legal News Alerts:

Massachusetts Delays Implementation of New Data Security Regulations (

Massachusetts Data Security Regulations Impose Strict Controls on Employers and Retailers, Impact Outsourcing Relationships (

Legal News Alert is part of our ongoing commitment to providing up-to-the-minute information about pressing concerns or industry issues affecting our clients and our colleagues. If you have any questions about this update or would like to discuss this topic further, please contact your Foley attorney or the following:

Peter McLaughlin
Senior Counsel