Resources

Massachusetts Privacy Standards Eliminate Third Party Vendor Personal Information Exemption

March 1, 2012

If you do business with Massachusetts consumers, and allow third party vendors access to consumer data, please take note.

As of March 1, 2012, all contracts with vendors who have access to Massachusetts consumers’ personal information (PI) must contain representations of compliance with Massachusetts privacy standards. For the past two years, all companies—wherever located—that possess PI of Massachusetts residents have been required to comply with 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth (the "Standards"). Among many other requirements, the Standards mandate that contracts with third-party vendors who have access to PI of Massachusetts residents include express representations that the vendor maintains appropriate security measures for such information. 

Although the Standards have been applicable to contracts entered into after the effective date of March 1, 2010, since that date contracts already in existence at that time were exempted from compliance for two years. That exemption expires on March 1, 2012 and, as such, any contract with a vendor who has access to the personal information of a Massachusetts resident, and that was in existence on March 1, 2010, should be amended to include the required representations. There is no explicit private right of action in the statute, but the attorney general may impose penalties of $5,000 per violation, plus attorneys’ fees and costs of investigation. (M.G.L. c 93A § 4). Clients who possess PI of Massachusetts residents should review their vendor contracts for compliance (and confirm that their own policies and procedures meet the required standard). 

If you require assistance in answering this or any other question pertaining to federal and state privacy laws, please do not hesitate to contact Kit Winter, the author of this alert, at 213-457-1736, or any other member of Dykema’s privacy team. 


As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. © 2012 Dykema Gossett PLLC.  

As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. © 2018 Dykema Gossett PLLC.