The final phase of the Massachusetts data security regulation law officially entitled, 201 CMR 17.00, comes into effect on the 1 March 2011. With a month to go, businesses need to have procedures in place if they or their third party contractors handle any Massachusetts’ residents’ data, whether or not the company is located in the State.

Essentially, if any contractor, supplier, technology provider and other third party holds data on Massachusetts residents, a contract needs to be signed that says they comply with the new regulation. While the company doesn’t need to audit the third party, the signed contract should reserve the right to audit these companies.

So what does this mean for data captured or stored online by a third party? Well firstly, let’s identify a few examples of the third parties this could include:

• A marketing company with a database of Massachusetts residents that will send materials on behalf of a company
• A contractor with addresses of customers they need to supply services to, on behalf of a company
• A web developer that hosts a company’s website and requires login details
• A third party that hosts on behalf of a hospital health records or financial information

All of these instances will need to have appropriate measures in place to protect Massachusetts’ residents’ information; even if they only have a few MA residents within their data. These third parties need to assure company’s they are protecting data or face losing their client/customer.

The regulation purpose is stated as

This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. The objectives of this regulation are to insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.

As a MA resident, I think the regulation has the right purpose. As part of the online privacy community, I also think it’s a good reminder of the importance of protecting a business. The benefits of protecting customers’ privacy are far greater to a business than the alternative. Privacy helps to:

• Protect your organization’s reputation internally and externally by assuring that your website properties are trustworthy and safe
• Immediately identify issues for correction before problems can arise
• Monitor for content or programming issues that could affect privacy requirements during website development
• Ensure that information collected from site visitors can be audited for compliance
• Create custom reports for internal website compliance management
• Earn customer confidence by providing a trusted environment of Internet confidentiality

For any company using the web to store private MA residents’ information, remember this is both internally and externally. You need automated privacy tools in place and that’s not just to enforce it, but to monitor against any breaches as it will only help to improve your data protection and help differentiate yourself against other businesses as you can show specific reporting examples, on demand, for your corporate customer or clients.