Ask Reggi Your Question Now
Can I use third-party collaboration tools that collect personal information in Massachusetts? What are the requirements?
Using Third-Party Collaboration Tools that Collect Personal Information in Massachusetts
Yes, you can use third-party collaboration tools that collect personal information in Massachusetts, but you must ensure that the tools comply with the state’s regulations on the disposal of records containing personal information, the Written Information Security Program (WISP), and the Computer System Security Requirements [2.1][4.1].
According to MGL Chapter 93I, Section 2, any agency or person disposing of personal information may contract with a third party to dispose of personal information in accordance with this chapter. Any third party hired to dispose of material containing personal information shall implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation, and disposal of personal information.
The WISP, as outlined in 965 CMR 3.03, requires that you take reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.03; and will take all reasonable steps to ensure that such third-party service provider is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR 17.03.
Furthermore, 965 CMR 3.04 outlines the Computer System Security Requirements, which require that you establish and maintain security measures covering your computers, including wireless systems, that, at a minimum, and to the extent technically feasible, have the following elements: (8) For electronic files containing personal information on a system that is connected to the Internet, firewall protection with up-to-date patches, including operating system security patches. The firewall will, at a minimum, protect devices containing personal information from access by or connections from unauthorized users. (9) The most current version of system security agent software which will include antispyware and antivirus software, including up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and which includes security software that is set to receive the most current security updates on a regular basis.
Therefore, if you are using third-party collaboration tools that collect personal information in Massachusetts, you must ensure that the tools comply with the state’s regulations on the disposal of records containing personal information, the WISP, and the Computer System Security Requirements. You must also verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.03 and is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR 17.03.
Source(s):
- [2.1] Duty to Protect and Standards for Protecting Personal Information
- [4.1] Written Information Security Program
Jurisdiction
Massachusetts