Regulatory: Follow the leader when it comes to preventing data breaches

In Massachusetts, it’s the law; everywhere else it’s just good business

According to a study by the Ponemon Institute, 39 percent of data breaches in 2010 involved third-party service providers such as outsourcers, contractors, consultants and business partners. As many companies have learned, data breaches are expensive, both in terms of actual costs as well as potential legal liability and negative publicity. An important data breach prevention measure is to have in place effective safeguards to protect personal information and to require your company’s vendors to do the same. In addition to being sound risk mitigation, it may be required by law.

The Massachusetts Office of Consumer Affairs and Business Regulation established what have become known as the Massachusetts data security regulations with the aim of addressing privacy breach risks posed by vendor relationships, among other things. The regulations, which went into effect March 1, 2010, require any company, regardless of location, size or industry, that possesses the personal information of a Massachusetts resident to adopt and implement a comprehensive written information security program (WISP). A WISP must address the technical, physical and administrative safeguards for the protection of personal information.

To reduce the risk of data breaches involving third-party service providers, the Massachusetts regulations require companies to take reasonable measures to select vendors that are capable of maintaining appropriate security measures to protect personal information. In addition, companies must enter into contracts with vendors to require them to implement and maintain security measures in compliance with the Massachusetts regulations. All new contracts effective after March 1, 2010 must meet this requirement. For contracts entered into before March 1, 2010, companies are deemed to be in compliance with this requirement if they are amended by March 1, 2012.

Vendor contracts and amendments should contain several key provisions, including representations, warranties and covenants providing the following:

author image

Michael T. Griffin

Michael T. Griffin is a partner in the Insurance and Reinsurance Department of Edwards Wildman Palmer LLP. He bases his practice in the firm's office...

Bio and more articles

Contributing Author

author image

Socheth Sor

Socheth Sor is a member of the Insurance and Reinsurance Department in the Hartford office of Edwards Wildman Palmer LLP. She focuses her practice on...

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.