If your company collects information from Massachusetts residents, you should be aware of the March 1, 2012, deadline imposed by the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth (the “Regulations”). 201 CMR 17.00 (2010). On March 1, the Regulations require that all companies that collect personal information from Massachusetts residents must ensure that their contracts with service providers—which include email administrators, marketing companies, IT contractors or security personnel—have a provision requiring the service provider to implement and maintain appropriate security measures when handling personal information that is used by the company.

The good news is that the definition of “personal information” within the Regulations is narrow and covers data that is more sensitive in nature, such as social security numbers, credit or debit card numbers, driver’s license numbers or other financial account numbers. If your company collects this more sensitive information from Massachusetts residents, then it will have to comply with the Regulations. If, however, your company only collects a person’s name and email address, it is off the hook—it has no obligation to comply with the Regulations.

The Regulations were enacted in 2010 and apply to all entities that collect Personal Information from Massachusetts residents. This means that your company must comply if it collects Personal Information from Massachusetts residents even if it does not have a place of business in Massachusetts. For example, if your company sells products to customers in Massachusetts or has employees who live in Massachusetts and it collects Personal Information from these individuals—even if it is only 10 people—it should be aware of the Regulations. There are no exemptions.

What, exactly, do the Regulations require? This is the question that many organizations are asking, as they are now receiving emails touting the March 1 deadline. In this regard, the March 1 deadline only applies to one relatively small component of the Regulations: the agreements with service providers, which are discussed below in Section (2). The other large requirement imposed by the Regulations—the WISP—has been in effect since 2010 and is slightly more burdensome, especially if your company hasn’t gotten started.

(1) The WISP
First, the Regulations require that any company that collects Personal Information from Massachusetts residents to develop a Written Information Security Policy (WISP). The WISP should essentially provide an outline of the following: what information is collected, for what purpose it is collected, how the information is protected, and for how long it will be stored by your organization.

To adequately develop a WISP, an entity collecting personal information from Massachusetts residents should have all of those who are “in the know” about an organizations data collection and use to get together and discuss the company’s data collection practices. This means that your company’s Chief Technologies Officer, Privacy Officer, Marketing Executive and Chief Executive Officer, for example, should meet to consider all access and data collection points, both virtual and physical. One of these individuals should also be designated as being primarily responsible for the WISP, and ensuring corporate compliance.

To start, this group should focus on where the company collects data. Consider both internal collections, such as information collected from employees, as well as external collections from clients and customers. For example, do you collect information from customers in a retail location or via an online registration process? Do you have employee data in file cabinets, or stored on your servers? All of these collection and storage points must be considered and address in the WISP, as they will guide the remainder of the policy. Once a list has been made of the data collection portals, the next step is to determine the type of data that is collected. Consider both Personal Information and identifying information, such as email addresses, mailing addresses and social security numbers, as well as non-personal information, such as cookies and IP addresses. This is an important part of the process, because you want to ensure that the most sensitive data—the social security numbers, credit and debit card numbers, financial and health information—is being maintained securely and managed properly because this is the data that can result in the largest harm if part of a breach.

Next, the WISP should outline the purpose for the data collection. In this regard, it is important to only collect data that is necessary for the purpose of the collection and to keep that data for only as long as it is needed. For example, if you store credit card numbers to make future purchases more convenient for customers, then you should ensure your organization is deleting these records if the customer has not made a purchase in a pre-determined period of time. The WISP must, therefore, outline your company’s policy with respect to data retention, as well as how your company will destroy the data when it comes time to dispose of it. In this regard, an organization must ensure that the data is made unreadable and/or physically destroyed.

The WISP should also address what your organization will do in the event it terminates an employee, or if the employee chooses to leave. It should cover what you plan to do with the employee’s technology devices and laptop, and how you will ensure the employee no longer has access to your organization—physically or electronically. A similar analysis should be made with respect to contractors, vendors and service providers used by your organization.

Another important aspect of the WISP is that it includes a provision describing how your organization will protect the data that it stores. It is important for the WISP to address the physical, offline storage of data—such as file cabinets and storage facilities—as well as the electronic storage of data. This means that the WISP should address and name the employees that will have access to certain file cabinets and explain who will maintain those keys or codes, and what is done to protect the information from intrusion. Further, it should also address the protection of electronic data from intrusion, such as via firewalls, encryption and passcodes. Additionally, as a general rule, sensitive personal information should be encrypted on transfer. The encryption of this information has the additional benefit of avoiding some of the data breach notification requirements in several states. Thus, the WISP should require the encryption of personal information.

The WISP is an important component of the Regulations, and while it may seem burdensome, in several years, it is likely that this will be as common as online Privacy Policies. By developing a WISP, your organization is ensuring that it is managing the data that it collects properly, protecting it, and it also will help manage your reaction in the event there is a breach. With a WISP in place, a company will be able to respond quickly and effectively to a breach, and it will also assist in limiting the scope of a breach, especially if encryption is used.

(2) Restrictions on Service Providers
As stated above, the March 1 deadline is tied to only a small part of the Regulations—the part that applies to an organization’s service providers. The Regulations define a “service provider” as “any person that receives, stores, maintains, processes or otherwise is permitted to access personal information through its provision of services.” 201 CMR 17.02. This definition is broad enough to cover marketing agencies, consultants, email administrators, IT personnel and contractors. If you have an agreement in place with one of these providers, and if the agreement is dated earlier than March 1, 2010, you have until March 1, 2012 to ensure that agreement contains language to ensure the service provider is taking appropriate measures to protect the personal information that it receives from your company. Agreements that are written after March 1, 2010 are already expected to comply with the Regulations.

While the Regulations do not mandate a specific provision for organizations to include in their agreements with service providers, it is recommended that the agreements contain language requiring the service provider to comply with the Regulations, as well as all applicable state and federal laws. Further, the agreement should require the service provider to obtain similar promises from the vendors it uses. For example, if you are sharing data with a marketing agency, and that marketing agency is sharing the data with an email administrator, your agreement with the marketing agency should require it to place equivalent limitations on the email administrator. Further, the service provider should be indemnifying your company and you also should retain the right to audit the provider on an annual basis. These contractual restrictions should be included in any agreement between service providers and an organization that collects personal information from Massachusetts residents by March 1, 2012.

Finally, it is important to note that the Regulations also require companies to vet service providers before using them. Organizations are to take “reasonable steps” to ensure they use service providers that employ “appropriate security measures” to secure the personal information. Generally speaking, your organization should do some due diligence before using any service provider, especially one that will manage your personal information.

While the March 1, 2012 deadline may be slightly daunting for some, many companies have already satisfied the requirements imposed by the Regulations. Further, the requirements set forth in the Regulations generally constitute good business practices. Consumer information—especially sensitive information—should always be protected by appropriate safeguards. Any individual interacting with the information should be required to protect it with the same care as the company to whom the consumer initially provided it. The contractual requirements not only provide guidance and oversight for service providers, but they also protect many companies in the event that a service provider mishandles consumer information.

Arent Fox is monitoring this issue, and related data privacy laws. Please contact Sarah Bruno or Eva Pulliam if you have questions.