201 CMR 17.00: Have You Secured Your Data With 3rd Party Vendors?
On March 1, 2012, Massachusetts General Law Chapter 93H and its new regulations 201 CMR 17.00 final procedure went into effect – the provision of which included 3rd party vendors.
This law, at its most basic premise, protects Massachusetts residents against identity theft and fraud. While the ruling may seem almost obvious and even stir some déjà vu, it’s probably because the law was actually put into practice on March 1, 2010 and similar laws have already been perpetuated in California, Maryland, Nevada, Oregon, and Texas. This final step in the new law was for contracts entered into before the 2010 date that were grandfathered in. The March 1st, 2012 date completely nullified any grandfathered contracts. Now, ALL companies or persons in Massachusetts who store or use personal information about Massachusetts residents must have created a written and regularly internally audited plan to protect a Massachusetts’s customer or user’s personal information that includes additional WISPs from third party vendors who also have the ability to see personal information.
How Does This Affect Me?
In 2010, 39% of all internet security breaches were by 3rd party vendors. These can include any person or company ranging from cloud service providers, to medical bill services, to stock brokers. Now that the law protecting all Massachusetts residents is being strictly enforced nation-wide, companies must obtain 3rd party vendors’ written consent to safeguard all personal information in compliance with the written information security program (WISP), which typically ensures confidentiality, integrity, and availability.
You may remember back in January when the Amazon.com-owned clothing and shoe retailer Zappos.com, was hacked. Personal information of roughly 24 million customers was unlawfully appropriated. Stolen data included names, account numbers, passwords, email addresses, billing and shipping addresses, phone numbers and the last four digits of credit cards. The perpetrator gained access to Zappos’ information through one of the company’s poorly protected Kentucky-based servers. Though they quickly communicated the problem to their customers, Zappos, in a panic, shut down its customer service phone lines and denied access to the website from locations outside the U.S. The security breach, theft, and subsequent compromised reputation of Zappos and Amazon are ominous, and terribly realistic, examples of what 201 CMR 17.00 is trying to protect.
Zappos and Amazon are currently in the middle of a class action lawsuit, which was filed in U.S. District Court in Louisville, Kentucky the day after the hack occurred. The plaintiff alleges that Amazon failed to adopt and maintain adequate procedures to protect such information and limit its dissemination only for the permissible purposes set forth. And though the Plaintiff’s attorney, Ben Barnow, thinks “this type of information is for sale, the risk is hanging out there," 201 CMR 17.00 completely invalidates his notion.
In terms of protecting Massachusetts residents, any violator or company is subject to a temporary restraining order, a permanent injunction, a five thousand dollar penalty, or the reimbursement of all costs and fees (attorney’s fees, costs of investigation and litigation). If the violator or company were to infringe on the terms of a restraining order or injunction, they are subject to a ten thousand dollar penalty. Instead of a possible settlement forcing Amazon to pay a five or ten thousand dollar fine in total, they could be forced to pay that amount for each person in their database whose information was breached, who resides in Massachusetts.
Ensure Your Safety
The best way to ensure your personal safety and to prevent identity theft and fraud is to make sure any contracts negotiated with companies and 3rd party vendors apply strict safety procedures. These can include encryption, firewall fortification, employee training programs, breach response plans, anti-virus protection, and the monitoring of newly implemented policies.
Are You Compliant?