The Massachusetts law 201 CMR 17.00 that forces US organizations to protect the PII of Massachusetts residents went into its final enforcement phase on March 1, 2012. By that date, no exceptions, businesses that send Massachusetts-based PII to vendors (service providers) needed to require in providers’ contracts that they will also abide by the law.

U.S. legislators are setting up a domino effect, getting us to abide by laws by forcing us to include those laws in our business contracts. While writing CMR 17.00, HIPAA and HITECH, legislators knew that the laws themselves would be ignored by many companies. But as long as there is a critical mass of law-abiding companies, there will also be a chain reaction of other companies that follow the law . . . if they want to do business.
And it seems to be working. Among Halock’s clients, a good number are requesting help to become compliant with laws and regulations so they can satisfy client contracts.

So on March 1, 2012 CMR 17.00, the most stringent of the U.S. state laws for protecting PII, started requiring that companies pass on full compliance requirements to their PII-carrying vendors. Most companies at first will ignore this requirement. But when a critical mass starts enforcing those contracts, you’ll want to be ready to say, “Yeah. Yeah, we do that.”