Introduction

Under Massachusetts law Harvard is responsible for any improper handling of high risk confidential information by any vendor that collects, processes, or maintains the information for Harvard. Thus, all relationships with such vendors must be formal in the sense that a contract is required. The contract must include requirements for the vendor to protect the information, to limit access to those who must access it in order to perform the tasks under contract, and to notify Harvard if there is a potential security breach.