Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I use third-party cloud storage services that collect personal information in Massachusetts? What are the requirements?

Using Third-Party Cloud Storage Services in Massachusetts

Yes, you can use third-party cloud storage services that collect personal information in Massachusetts, but you must ensure that the service provider is capable of maintaining appropriate security measures to protect such personal information consistent with the requirements of Massachusetts regulations [1.1].

According to 201 CMR 17.03(2)(f)1, you must take reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with 201 CMR 17.00 and any applicable federal regulations [1.1]. Additionally, 940 CMR 27.03(4) requires that you take reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.03 [4.1].

Therefore, if you are using third-party cloud storage services that collect personal information in Massachusetts, you must ensure that the service provider is capable of maintaining appropriate security measures to protect such personal information consistent with the requirements of Massachusetts regulations.

Requirements for Protecting Personal Information

Under Massachusetts regulations, every person that owns or licenses personal information about a resident of the Commonwealth must develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards that are appropriate to the size, scope, and type of business [1.1].

The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated [1.1].

The comprehensive information security program must include, but not be limited to, designating one or more employees to maintain the program, identifying and assessing reasonably foreseeable internal and external risks to the security of personal information, developing security policies for employees relating to the storage, access, and transportation of records containing personal information outside of business premises, imposing disciplinary measures for violations of the program rules, preventing terminated employees from accessing records containing personal information, overseeing service providers, and regular monitoring to ensure that the program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information [1.1].

Duty to Report Known Security Breach or Unauthorized Use of Personal Information

If you are using third-party cloud storage services that collect personal information in Massachusetts, you must report any known security breach or unauthorized use of personal information to the owner or licensor of such information as soon as practicable and without unreasonable delay [2.1].

Conclusion

You can use third-party cloud storage services that collect personal information in Massachusetts, but you must ensure that the service provider is capable of maintaining appropriate security measures to protect such personal information consistent with the requirements of Massachusetts regulations. This includes the development and implementation of a comprehensive information security program that contains administrative, technical, and physical safeguards appropriate to the size, scope, and type of business. Additionally, you must report any known security breach or unauthorized use of personal information to the owner or licensor of such information as soon as practicable and without unreasonable delay.

Source(s):
Jurisdiction

Massachusetts