As of March 1, 2012, all companies storing the personal information of Massachusetts residents with a third-party service provider must contractually require the service provider to maintain data security measures “consistent” with the Massachusetts data security regulations.  (You can read our overview of these regulations here.)

Among other things, those regulations—most of which took effect in March 2010— require companies to implement a written information security program containing certain elements, including a requirement that personal information be encrypted when transmitted wirelessly or across public networks, and when stored on portable computing devices (including laptops).  The regulations also require companies to take “reasonable steps” when selecting a service provider to ensure that the provider is capable of maintaining appropriate measures for the protection of personal information.  

To be clear, the service provider contract provision has been in effect since March 2010 for all contracts entered into after that date.  But the provision contains a grandfather clause that exempted pre-March 2010 contracts from the requirement.  This exemption expires on March 1, 2012.