February 10, 2012
If your corporate IT “cloud” casts a shadow in Massachusetts, you have
mere weeks to finalize the compliance program for your IT service
contracts or face the thunderstorm of penalties under that state’s data
security law. On March 1, 2012, a requirement in the Massachusetts data
security regulations will go into effect requiring companies’ written
information security programs (WISPs) to cover cloud computing, software-as-a-service, outsourcing
and other information technology service providers.
The WISP requirement itself has been in place since 2010, but now must additionally require contracts with third party IT providers to contain a
provision obligating the service provider to implement and maintain “appropriate security measures” to protect covered personal information in a manner
consistent with the Massachusetts regulations and federal law.
The Massachusetts regulation encompasses any business that handles certain types of personal information about Massachusetts residents either in
connection with a transaction in goods or services, or in connection with employment. As a result of the employee coverage, this regulation not only affects companies collecting consumer information, but also likely covers anyone with operations in Massachusetts. The
covered personal information consists of first and last names or first initial and last name in combination with any one or more of the following data
Social Security number;
driver's license number or state-issued identification card number; or
financial account number, or credit or debit card number.
Although the regulation only requires that WISPs call for amendment by March 1, 2012, McGuireWoods advises putting the necessary contract amendments in
place as soon as possible. Having a WISP that requires the amendments, without actually putting the amendments in place, would be evidence of a failure
to adequately implement the WISP as required by the regulation.
The Massachusetts regulation (a copy can be downloaded
here) represents a major
shift and an emerging trend in state law efforts to combat identity theft and promote security of personal information. Unlike the data-breach
notification laws that began in California in 2002, which have since been adopted in nearly every state, this regulation goes far beyond requiring
notification of breach. It prescribes the adoption of an extensive and detailed WISP that includes a long list of elements. As other states follow
Massachusetts’ lead, and the FTC and SEC focus on privacy and data security at the federal level, data security is becoming a headline compliance and
corporate governance issue for companies operating in the United States.
Helping our clients keep their contracts for cloud computing and outsourcing up to date and in legal compliance is one of the services provided by the
McGuireWoods Technology & Outsourcing practice team, chaired by Steve Gold. Advice and litigation of data security and data privacy issues are
services provided by the firm’s Data Privacy and Security team, chaired by Bill Cook.