The August 17, 2009 revisions of the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts (“Massachusetts Standards”) were accompanied by reassurances that the changes were designed to create a more flexible regulatory framework that would ease the burdens on business while protecting the public interests. However, the revisions also include more detailed provisions dealing with sharing of personal information with third party service providers. Third party service provider relationships can be a substantial source of risk to the confidentiality, integrity, and availability of sensitive information. Risk factors include the security practices of third parties within their own facilities as well as the seemingly simple process of transferring sensitive information to a service provider.
The Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) has addressed these risks by requiring businesses subject to the Massachusetts Standards to take “reasonable steps to select and retain third party service providers that are capable of providing appropriate security measures” consistent with the regulations and contractually obligating those service providers to do so. There are several particularly noteworthy implications of these requirements.
Expansive Definition of Service Provider
The revised Massachusetts Standards define a “service provider” as: “any person that receives, maintains, processes, or otherwise is permitted access to personal information through its provision of service directly to a person that is subject to this regulation …” explicitly excluding the U.S. Postal Service. Accordingly, almost any vendors, suppliers, consultants, contractors, and advisors with which a business shares the personal information of Massachusetts residents appear to fall within this definition. Going forward, businesses subject to the Massachusetts Standards should carefully examine all of their third party relationships to identify all scenarios where the third party service provider requirements are applicable.
Data Security Due Diligence
While it has been an advisable practice for some time now, the express reference to selecting third party service providers that are capable of providing appropriate security raises analysis of data security practices during due diligence to the level of a legal obligation. The Commonwealth is unlikely to be sympathetic to claims that an entity was in compliance with the Massachusetts Standards without meaningful evidence of pre-closing investigation into the data security practices of its service providers.
Monitoring Third Party Service Provider Data Security Practices
The August 17th revisions removed the prior obligation to ensure that third party service providers are applying security measures consistent with the regulations. Nonetheless, the new language contains the admonition to “retain” third party service providers capable of providing such security. Hence, OCABR maintains some authority to require monitoring of the data security performance of third party service providers. Consequently, guaranteeing the right to audit the data security measures taken by third party service providers remains a strongly advised policy.
Limited Grandfather Clause
Finally, the August 17th revisions include a grandfather clause apparently designed to exempt third party service contracts entered into before a particular date. Due to a likely drafting error, the grandfather clause contains conflicting dates (March 1, 2010 and March 1, 2012) for the exemption. This confusion is likely to be resolved after the current public comment period. While a reasonable reading of the current language could lead one to conclude that contractual obligations are not necessary for any contract entered into before March 1, 2010, the use of contract to protect the interests of businesses subject to the Massachusetts Standards remains a very attractive option, even for agreements currently in existence.
The grandfather clause provides no indication that it exempts presently existing third party relationships from the “selection and retention” requirements discussed above. Contractual restrictions are among the more readily practicable methods of implementing the requirement to select and retain service providers capable of providing appropriate security. Therefore, ensuring that relevant contractual obligations are in place is in the interests of all businesses subject to the Massachusetts Standards.