Massachusetts enacted 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth, new regulation regarding the safeguarding of Massachusetts residents personal information, in 2009 with compliance date of March 1, 2012. The regulation set standards to be met by persons, including Investment Advisers, with clients residing in Massachusetts to have privacy protection clauses or language contained within the contracts entered into with third party service providers. The compliance requirements of the law and regulations contained a grandfathering provision for any contract entered into prior to March 1, 2010. Under the grandfather provision, Investment Advisers with service provider contracts entered into before March 1, 2010 were deemed to be in compliance even if the contract made no reference to data protection. We’re highlighting the regulation today to remind you the grandfather provision EXPIRES on March 1, 2012. As of this date, all investment advisers with clients residing in the state of Massachusetts must be in compliance with this law, regardless of when the contract was entered into. What does this mean for you?If you have clients residing in Massachusetts, you have an obligation to ensure third party service providers you do business with, that may have access to client information, implements and maintain appropriate security measures for the protection of client personal information. The regulation established minimum standards to be met in connection with the safeguarding of personal information, covering both paper and electronic records. Section 17.03(2)(f): “Oversee service providers, by:1. Taking reasonable steps to select and retain third—party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information…”The contract between the Investment Adviser and service provider must contain language requiring the service provider to have protection measures in place.We recommend you:
- Review your client list, identify whether you have clients residing in Massachusetts
- Review your contracts with third party providers that may provide services to Massachusetts clients
- If the contracts do not contain the required terms, re-negotiate and execute contracts to be compliant with the regulation Review your Privacy Policy and Procedures, verify against the standards required and ensure the firm is in compliance with the standards and includes all the provisions of Section 17.03: Duty to Protect and Standards for Protecting Personal Information.
If you have clients residing in Massachusetts, it’s critical you address this regulation in a timely manner, as there are penalties for non-compliance.Red Oak Compliance Solutions is available to help. We can review your privacy policies, assist in the creation or updating of your privacy policies, as well as provide guidance on all of your compliance needs. For more information on the Massachusetts privacy regulations or to request information on how we can help, please contact us.
About Red Oak Compliance Solutions
Red Oak Compliance Solutions is a leading provider of intelligent compliance software, offering a range of AI-powered solutions designed to help firms of all sizes successfully navigate the increasingly complex regulatory landscape. Our suite of 17(a)-4/WORM compliant features offer risk minimization, cost reduction, and process optimization capabilities with features that are designed to evolve with our client’s needs. Our flagship advertising review software enables firms to deliver compliant content to the market with confidence, faster. Our Disclosure Management and Intelligence solution simplifies the management of disclosures, while our Registration Management solution automates and streamlines the licensing and registration process, further enhancing your internal processes.