Regulation

Massachusetts Standards for the Protection of Personal Information

The Massachusetts Standards for the Protection of Personal Information, also known as “201 CMR 17.00” establishes minimum standards to be met by organizations who own or license personal information about a resident of the Commonwealth of Massachusetts in connection with the safeguarding of personal information.

Are you subject to the 201 CMR 17.00?

The 201 CMR 17.00 applies to those engaged in commerce and who collect and retain personal information in connection with the provision of goods and services or for the purposes of employment. The regulation does not apply, however, to natural persons who are not in commerce.

Obligations & rights under the 201 CMR 17.00

This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records.

Information security program

Organizations that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to: (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.

Computer system security requirements

Organizations shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system.

Form of consent

Continuous monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.

Vendor management

Oversee vendors by taking reasonable steps to select and retain third-party vendors that are capable of maintaining appropriate security measures to protect such personal information consistent with 201 CMR 17.00. There should be contracts in place with vendors requiring them to implement and maintain appropriate security measures to protect personal information.

Webinar

Mitigating Third-Party Risk: Best Practices for CISOs

Join us for an insightful and informative webinar as we delve into mitigating third-party risks. This webinar will provide essential strategies and best practices to ensure robust security and privacy measures when collaborating with external entities.

Watch now

Achieve compliance

FAQs

What is the objective of “201 CMR 17.00”?

The objectives of 201 CMR 17.00 are to insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.

The regulation went into effect on March 1, 2010.
What are the breach response requirements?

Organizations must document responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.
How frequently should the security measures’ scope be reassessed?

Review the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
What is personal information and sensitive personal information under the 201 CMR 17.00?

Personal information is a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:

(a) Social Security number

(b) driver’s license number or state-issued identification card number

(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.

It does not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

Related resources

View all resources

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.