Legacy Vendor Agreements and the Massachusetts Data Security Law

Unless you have been on an extended vacation, you likely know the Massachusetts Data Security Law (Standards for the Protection of Personal Information of Residents of the Commonwealth) goes into effect in less than a month on March 1, 2010.  You may also know that pre-existing, legacy vendor agreements are being grand fathered in, with compliance being deferred until March 1, 2012.  It is with regard to those legacy contracts that I suggest businesses start work now.  While two years seems like a long time, those two years can quickly run out when you are trying to address potentially dozens, even hundreds, of legacy agreements.

As a quick review, the Massachusetts law requires all legacy “service provider” agreements to be compliant by March 1, 2012.  Service providers are defined under the law as:  “. . . [A]ny person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation.” 

I recommend starting now to identify all relevant service providers, review their contracts, and identify those relationships requiring remediation.  In many cases, compliance can be achieved by simply having the vendor execute a one or two page amendment to the existing contract addressing compliance with the Massachusetts statute.  In other cases, the vendor may be reticent.  Renegotiation of the entire underlying agreement may be required.  Worse yet, some vendors may refuse any amendment or renegotiation of their agreements.  In those instances, replacement vendors must be identified and new agreements negotiated.  This process will take time.  In the context of the foregoing, two years is a relatively short period of time.  This is why businesses should start now in their compliance efforts.