Massachusetts Personal Information Security Law Grandfather Expires March 1, 2012

Massachusetts enacted 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth, new regulation regarding the safeguarding of Massachusetts residents personal information, in 2009 with compliance date of March 1, 2012. The regulation set standards to be met by persons, including Investment Advisers, with clients residing in Massachusetts to have privacy protection clauses or language contained within the contracts entered into with third party service providers. The compliance requirements of the law and regulations contained a grandfathering provision for any contract entered into prior to March 1, 2010. Under the grandfather provision, Investment Advisers with service provider contracts entered into before March 1, 2010 were deemed to be in compliance even if the contract made no reference to data protection. We’re highlighting the regulation today to remind you the grandfather provision EXPIRES on March 1, 2012. As of this date, all investment advisers with clients residing in the state of Massachusetts must be in compliance with this law, regardless of when the contract was entered into.

What does this mean for you?

If you have clients residing in Massachusetts, you have an obligation to ensure third party service providers you do business with, that may have access to client information, implements and maintain appropriate security measures for the protection of client personal information. The regulation established minimum standards to be met in connection with the safeguarding of personal information, covering both paper and electronic records. Section 17.03(2)(f): “Oversee service providers, by:

1. Taking reasonable steps to select and retain third—party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and

2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information…”

The contract between the Investment Adviser and service provider must contain language requiring the service provider to have protection measures in place.

We recommend you:

• Review your client list, identify whether you have clients residing in Massachusetts


• Review your contracts with third party providers that may provide services to Massachusetts clients


• If the contracts do not contain the required terms, re-negotiate and execute contracts to be compliant with the regulation Review your Privacy Policy and Procedures, verify against the standards required and ensure the firm is in compliance with the standards and includes all the provisions of Section 17.03: Duty to Protect and Standards for Protecting Personal Information.

If you have clients residing in Massachusetts, it’s critical you address this regulation in a timely manner, as there are penalties for non-compliance.

Red Oak Compliance Solutions is available to help. We can review your privacy policies, assist in the creation or updating of your privacy policies, as well as provide guidance on all of your compliance needs. For more information on the Massachusetts privacy regulations or to request information on how we can help, please contact us.