Reacting to Massachusetts Privacy Law- Controlling third-party relationships

Posted on November 23, 2008 | Filed Under Privacy Managment, Risk Management


Recent passing of Massachusetts 201 CMR 17.00 in November of 2008 on the protection and guidelines for privacy of data that requires businesses, individuals and third-party relationships to implement a written comprehensive security plan by May 1, 2009.

Organizations need to understand privacy liability when dealing with third party relationships and customer or client data.  Too many companies fail to understand that transferring of data to third-party vendors does not transfer the liability and responsibility of protecting the data.  Organizations need to maintain the controls of the data as it would be covered in your own corporate environment even if the data does not fall physically under the brick and mortar walls of the corporation.  Maintaining the security of the organization’s information and information processing facilities can provide more of a challenge when dealing with third-party relationships.  Organizations must do their due diligence by continuously monitoring by auditing and assessing the relationship in order to stay on top of the security vulnerabilities that those relationship might posse.  The communication transfers should cover what is accessed, processed or managed by external parties.  We need to understand what data they will be housing at their location or need access to within your organization process or environment.  Controls need to be implemented to manage relationships and protection of the data from an overall security plan which includes these controls.  The identification of the risk should include all third-party relationships and address the sensitive data that is possessed along with the critical loss for business operations.  The protection of the data should fit the impact level of the criticality of the data.  Organizations can setup controls and contractual obligations that are relevant to the external party.  Some of the questions that should be asked of your third-party relationships are:

  1. What asset protection do you have in place to protect the data in storage, transition, and during communication?
  2. What is the detail description of the product or service that will be provided?
  3. What is the access control policy, what data will be accessed and who will be accessing the data?
  4. What arrangement will be made to report, notify and investigate breaches both internally and externally?
  5. Who will be monitoring the process?
  6. Is there a conflict of interest if further analysis needs to be preformed both legally and ethically?
  7. What is the target level of service and unacceptable levels of services?
  8. What is the respective liability of the organization and customer data?
  9. Who owns the intellectual property rights, copyright and protects collaborative work?
  10. Do you have a written security program in place that certifies the process?

In addition, be aware of State laws in Private Investigation that inhibit third-parties to monitor and track individuals through the computer and network systems for collection of potential evidence. The planning and development of the third-party relationships should ensure that there is no misunderstanding between the organization and the vendor services.  The organization’s security program should not be sacrificed to adhere to third-party agreements. Taking responsibility of your data will ensure that you will be protected and provide a level of security and collaboration between you and your vendors.

About this Post
Permalink | Trackback | | Print This Article | Leave a Comment