With the Massachusetts Data Security Law (SPPIRC) going into effect March of 2010, the clock has started clicking on your legacy vendor agreements. You have less than two years (March 1, 2012) to get those vendor agreements compliant with the statute. Although two years sounds like a long time, consider the following:
Identify relevant service providers and perform Vendor Threshold Assessment (VTA)
Although one hope this step is relatively easy, most companies I work with can have difficulty in even identifying all the business partners and agreements that they have in place, especially if contracts are managed within the business units instead of centrally. Once you have identified the vendors, you will need to review the service they are providing, and perform a level one assessment to determine if the relationship includes the vendor having access to your customers information (electronic or paper).
Perform Vendor Impact Assessment (VIA)
Once level II providers are identified, it is time to take a deeper dive to ensure they comply with the law. In essence they need to have a security program in place. This program should include:
- One or more persons assigned security program responsibilities
- Implementation of an annual program risk assessment and oversight process
- Awareness Training (employee and contractor)
- Access and Encryption Controls
- Program monitoring for control failures
- Policies and Disciplinary actions for non-compliance
Negotiating / renegotiating terms
Following the vendor impact assessments, there will likely be one or more risks identified where action plans are needed. These actions may cause the service providers costs to go up, so be cognoscente that as your expectations are increased, the price for the services provided may go up as well.
Find a new vendor
If you cannot come to terms with your existing vendor(s) you may have to find a new vendor . Make sure you take into account the Massachusetts requirements when negotiating all new contracts.