Organizations responsible for third party security?

A new Massachusetts law called 201 CMR 17.00 from the Office of Consumer Affairs and Business Regulation (OCABR) was passed in order to add additional protection requirements around personal information disclosure. This new regulation is specifically targeted to reduce the incidence of identity theft that comes from personal data maintained by businesses and organizations that do business in Massachusetts.  This regulation is an extension of the implementation of the prior Massachusetts law Chapter 93H (Security Breaches) which requires disclosure similar to the California’s SB1386.
Some of the major aspects of this new regulation are:
1. Coverage of non-electronic information
2. Mandates a security program and accountable persons to uphold security initiatives.
2. Covers  information such as voice mails, faxes etc stored in computer systems with sensitive information on it.
3.  Extends security responsibilities of organizations to third party contracted companies and outsourced entities.
There are many things to enjoy about this law if you are either a security practitioner or a consumer since for one it creates job security and for the other it creates identity security.  However the requirement to uphold security controls of third parties and to assess them bleeds the lines between corporations and organizations and could lead us to brand new more shared security compliance technologies.  At the very least its clear to see that security is no longer going to be tolerated as an afterthought for corporations, but a necessity.
Thoughts to ponder:
1. Should you be responsible (continue reading...)