Massachusetts has been among the states with the most far-reaching, aggressive privacy regulations. A wide-ranging law that went into effect in March 2010 continues its staggered rollout. On March 1 of this year, the final leg of the law will kick into effect.

This provision deals with third-party companies that may end up collecting data on state residents. As ComputerWorld notes, the provision requires that companies select and retain third-party vendors that are capable of adequately protecting customer data.

“The law does not require businesses to go out and audit their third-parties for compliance…It simply requires businesses to get a contractual assurance from their partners attesting to their ability to protect customer data in compliance with the state standards.”

On the surface this seem like mere cosmetics. All vendors will certify that they will protect customers. But the requirement does give companies some leverage in that they will be able to force their third-party service providers to own up to their security measures and specific practices regarding the timeliness of disclosure in the event of a breach. Companies appear to also gain some leverage in seeking compensation in the event of a breach that was the fault of the third party.

The Massachusetts data protection law applies to any company that stores personal information on any state resident, regardless of where the companies are based.

For more:
- here’s the article

Related articles:
Sarbox hinders public disclosure of audit disciplinary action
Role of encryption rising