• United States



Legacy Vendor Agreements and the Massachusetts Data Security Law

Feb 03, 20102 mins
Data and Information Security

Unless you have been on an extended vacation, you likely know the Massachusetts Data Security Law (Standards for the Protection of Personal Information of Residents of the Commonwealth) goes into effect in less than a month on March 1, 2010.  You may also know that pre-existing, legacy vendor agreements are being grand fathered in, with compliance being deferred until March 1, 2012.  It is with regard to those legacy contracts that I suggest businesses start work now.  While two years seems like a long time, those two years can quickly run out when you are trying to address potentially dozens, even hundreds, of legacy agreements.

As a quick review, the Massachusetts law requires all legacy “service provider” agreements to be compliant by March 1, 2012.  Service providers are defined under the law as:  “. . . [A]ny person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation.” 

I recommend starting now to identify all relevant service providers, review their contracts, and identify those relationships requiring remediation.  In many cases, compliance can be achieved by simply having the vendor execute a one or two page amendment to the existing contract addressing compliance with the Massachusetts statute.  In other cases, the vendor may be reticent.  Renegotiation of the entire underlying agreement may be required.  Worse yet, some vendors may refuse any amendment or renegotiation of their agreements.  In those instances, replacement vendors must be identified and new agreements negotiated.  This process will take time.  In the context of the foregoing, two years is a relatively short period of time.  This is why businesses should start now in their compliance efforts.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author