Newsroom
Articles & Releases
Industry Headlines
02/21/2012 - The Data Security Chain Must Get Stronger by March 1, 2012
A chain is only as strong as its weakest link. This principle is on display in the Massachusetts data security regulations (201 CMR 17.00), which require companies to protect personal information not only by implementing their own safeguards, but also by forcing companies to fortify the other links in the chain by having their vendors sign contracts committing to do the same. When the regulations went in to effect on March 1, 2010, they grandfathered existing contracts with vendors, meaning that these contracts were not required to contain the data security assurances. But the grandfathering ends on March 1, 2012.
As of that fast-approaching date, companies must contractually require all third-party service providers who touch personal information to implement and maintain appropriate security measures. This change in the law affects every business. We all have vendors that handle our personal information, including: payroll providers, banks, lawyers, insurers, benefits providers, shredding and disposal companies, cleaning companies, and record storage companies, to name a few.
A good third-party service contract will require a vendor to:
-- protect all personal information in the manner required by law and regulations;
-- have a Written Information Security Program (“WISP”);
-- enter into contracts with its third-party service providers;
-- provide immediate notification in the event of a data security breach; and
-- provide indemnification for any mishandling of personal information.
And know that even the best contract might not be enough. Companies are required to take reasonable measures to select vendors capable of maintaining appropriate security measures to protect personal information. So, if your business involves significant amounts of personal information, it might not be appropriate to use Joe’s Shredding and Acupuncture, no matter what contract Joe is willing to sign. You would want to use a company whose name and reputation would instill a bit more confidence.
In some cases, especially where a lot is at stake, it would be appropriate to go an additional step and actually enter into discussions with vendors regarding what they do to protect personal information, and to ask to see their WISP.
If all of this sounds extreme, consider this: if a vendor loses your customers’ personal information that they have given to you, will your customers hold it against the vendor or you? In deciding whether to bail on you, will they even make the distinction? And will plaintiff’s lawyers give you a pass because you are able to ascribe blame to another company? The answers to these questions make it clear that companies need to do their best to ensure that their vendors are strong links in the data security chain.
What is your business doing to confirm that its vendors are protecting personal information? What kinds of contracts do you have in place? Have you seen your vendors’ WISP’s? The HRW Data Security Team would be glad to discuss these issues with you and to give you sample language that you can use in your contracts with third-party service providers.
-- C. Max Perlman
Photo: www.photo-dictionary.com
02/21/2012 - Key Issues to Consider for Outreach and Enrollment Efforts under Health Reform
This report identifies key issues to consider for outreach and enrollment efforts in implementing the coverage expansions under health reform. It is part of the Health Reform Roundtables series.
02/21/2012 - Key Facts on Health Coverage for Low-Income Immigrants Today and Under Health Reform
This fact sheet provides an overview of coverage options for immigrants today and under health reform, and highlights key barriers to enrollment and access.