According to a study by the Ponemon Institute, 39 percent of data breaches in 2010 involved third-party service providers such as outsourcers, contractors, consultants and business partners. As many companies have learned, data breaches are expensive, both in terms of actual costs as well as potential legal liability and negative publicity. An important data breach prevention measure is to have in place effective safeguards to protect personal information and to require your company’s vendors to do the same. In addition to being sound risk mitigation, it may be required by law.
The Massachusetts Office of Consumer Affairs and Business Regulation established what have become known as the Massachusetts data security regulations with the aim of addressing privacy breach risks posed by vendor relationships, among other things. The regulations, which went into effect March 1, 2010, require any company, regardless of location, size or industry, that possesses the personal information of a Massachusetts resident to adopt and implement a comprehensive written information security program (WISP). A WISP must address the technical, physical and administrative safeguards for the protection of personal information.
As defined by the regulations, personal information means an individual’s first name and last name or first initial and last name in combination with any one or more of the following:
- Social Security number
- Driver’s license state-issued identification card number
- Financial account number or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to the financial account
Although the regulations only apply to companies possessing the personal information of Massachusetts residents, a growing number of companies have tailored their WISP to the requirements under the Massachusetts regulations to cover all the personal information they maintain. To reduce the risk of data breaches involving third-party service providers, the Massachusetts regulations require companies to take reasonable measures to select vendors that are capable of maintaining appropriate security measures to protect personal information. In addition, companies must enter into contracts with vendors to require them to implement and maintain security measures in compliance with the Massachusetts regulations. All new contracts effective after March 1, 2010 must meet this requirement. For contracts entered into before March 1, 2010, companies are deemed to be in compliance with this requirement if they are amended by March 1, 2012.
Vendor contracts and amendments should contain several key provisions, including representations, warranties and covenants providing the following:
- The vendor must comply with the Massachusetts regulations and other applicable federal and state privacy and data security requirements
- The company has the right to evaluate or audit the vendor periodically to ensure its compliance with applicable laws
- The vendor must contractually require any of its vendors to comply with applicable privacy and data security requirements
- The vendor must provide the company with immediate notification of an actual or potential breach involving personal information shared with the vendor
- The vendor shall return or appropriately destroy all of the company’s personal information in its possession at the termination of the contract
- The vendor shall indemnify the company and hold it harmless against any and all losses, damages and expenses resulting from a data breach caused by the vendor or its vendors.
Although these requirements only apply to companies possessing the personal information of Massachusetts residents, companies that are not within the scope of the Massachusetts regulations should consider amending their contracts with vendors to include the provisions outlined above, as it is good general practice and may help to prevent data breaches.