If your corporate IT "cloud" casts a shadow in Massachusetts, you have mere weeks to finalize the compliance program for your IT service contracts or face the thunderstorm of penalties under that state's data security law. On March 1, 2012, a requirement in the Massachusetts data security regulations will go into effect requiring companies' written information security programs (WISPs) to cover cloud computing, software-as-a-service, outsourcing and other information technology service providers.

The WISP requirement itself has been in place since 2010, but now must additionally require contracts with third party IT providers to contain a provision obligating the service provider to implement and maintain "appropriate security measures" to protect covered personal information in a manner consistent with the Massachusetts regulations and federal law.

The Massachusetts regulation encompasses any business that handles certain types of personal information about Massachusetts residents either in connection with a transaction in goods or services, or in connection with employment. As a result of the employee coverage, this regulation not only affects companies collecting consumer information, but also likely covers anyone with operations in Massachusetts. The covered personal information consists of first and last names or first initial and last name in combination with any one or more of the following data elements:

  • Social Security number;
  • driver's license number or state-issued identification card number; or
  • financial account number, or credit or debit card number.

Although the regulation only requires that WISPs call for amendment by March 1, 2012, McGuireWoods advises putting the necessary contract amendments in place as soon as possible. Having a WISP that requires the amendments, without actually putting the amendments in place, would be evidence of a failure to adequately implement the WISP as required by the regulation.

The Massachusetts regulation (a copy can be downloaded here) represents a major shift and an emerging trend in state law efforts to combat identity theft and promote security of personal information. Unlike the data-breach notification laws that began in California in 2002, which have since been adopted in nearly every state, this regulation goes far beyond requiring notification of breach. It prescribes the adoption of an extensive and detailed WISP that includes a long list of elements. As other states follow Massachusetts' lead, and the FTC and SEC focus on privacy and data security at the federal level, data security is becoming a headline compliance and corporate governance issue for companies operating in the United States.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.