The last and most difficult provision of Massachusetts’ notorious data privacy law kicks in March 1, putting companies nationwide in the tenuous position of policing their third-party service providers.
The law, enacted in response to TJX Cos.’ infamous data privacy breach in 2007 that exposed the private data of some 46 million people, at first required companies to set up strong internal protections for any personal information they may hold on Massachusetts residents. That data can include a person’s name in combination with credit card numbers, driver license information, bank account numbers, and other government-issued identifiers. Now the deadline looms for companies to require their third-party service providers, by contract, to implement and maintain similar “appropriate security measures” for that same personal data, according to the law.
