Important update.  The amended or revised 201 CMR 17.00 has softened the requirement for third-parties you do business with and that have access to personal data.  The original regulation slated for a May 1, 2009 compliance date stated that businesses would require “certification that such service provider has a written, comprehensive information security program that is in compliance with the provisions of these regulations”.

The revised regulation scheduled for January 2010 now states that businesses should ensure that third-parties are taking all reasonable security measures — at least as stringent as those provided in the 201 CMR 17.00 regulation — in protecting personal information.

Ensure?  How are you going to “ensure” that your third-parties are protecting themselves? 

Here’s what I recommend, and I suggest you follow my advice.  Send each of your third-parties (whether they do business in the Commonwealth or not) the 201 CMR 17.00 Audit Compliance Checklist that I provided a link for in my first blog on this very subject (see below).  Take the checklist and add a signature page and have your third-parties sign it.  If they don’t fully comply, have them put together a letter that outlines their security improvement plan with dates and have them sign that. 

If your third-party is not willing to go the extra mile, you’ll have not choice but to move on.  The eventual financial risks and public image drubbing may be too high.  Are you willing to chance it?

Let me know your thoughts.