News for Credit Professionals       NACM-SE

Massachusetts Data Security Regulations on Vendor Contracts Now In Effect

A new data security regulation in Massachusetts went into effect on March 1. And any business in the U.S. that stores or maintains “personal information” about one of the bay state’s residents must comply.

The commonwealth’s new law broadly defines “personal information” as a person’s name in combination with any one or more of the following: social security number, driver’s license number, state-issued identification card, financial account number and credit or debit card number. To comply with the regulations, businesses must develop, implement, maintain and monitor a comprehensive, written information security program, and, secondly, establish and maintain a security system, which, among other things, encrypts personal information stored on portable devices or transmitted wirelessly or on public networks.

If that sounds stringent, that’s because it is. While 44 states have enacted data security breach notification laws in recent years, the Massachusetts regulations are among the nation’s most comprehensive and restrictive because it’s geared more toward preventing data breaches than it is toward notifying victims of a breach after it’s already occurred.

Moreover, businesses required to comply with the Massachusetts data security regulations that also engage a third party outside vendor to store, process, transmit or destroy data containing personal information of a Massachusetts resident must also have amended their contracts with such vendors in order to require them to comply with these regulations as well and thoroughly have investigated any such vendors in order to determine whether their privacy practices are adequate.

The now in-effect rule could signal a shift in state legislation away from dictating what companies must do in the wake of a data breach, and toward dictating what companies must do in order to prevent a data breach in the first place. No single standards exist for nationwide coverage, since data security and breach notification laws differ from state to state, but companies should, at the very least, collect only as much information from their customers as is necessary and implement solid, comprehensive procedures governing data security and breach notifications. Furthermore, companies that engage third parties that provide these services should carefully investigate their potential partner before agreeing to pay for such services.

Jacob Barron, CICP, NACM staff writer