Massachusetts 201 CMR 17.00 is a state regulation that requires any person or business that stores, processes, or transmits personal information of Massachusetts residents to implement and maintain reasonable security measures to protect that information. This regulation applies to all businesses and organizations, regardless of size or industry, that handle personal information of Massachusetts residents.

The regulation defines personal information as an individual's first name and last name, or first initial and last name, in combination with any one or more of the following data elements: Social Security number, driver's license number, state-issued identification card number, or financial account number, or credit or debit card number.

The regulation requires covered entities to implement and maintain reasonable security measures, including:

  1. Designating a responsible employee to oversee the implementation and maintenance of the security program

  2. Implementing and maintaining a comprehensive information security program that includes administrative, technical, and physical safeguards

  3. Encrypting all personal information when it is transmitted wirelessly or stored on laptops or other portable devices

  4. Implementing and maintaining secure user authentication protocols

  5. Implementing and maintaining a system for monitoring and detecting unauthorized access to personal information

  6. Regularly testing and monitoring the effectiveness of the security program

  7. Providing regular security training to employees

  8. Providing notice to affected individuals and the Massachusetts attorney general in the event of a security breach

The regulation also requires businesses to maintain written documentation of their information security program, and that it should be updated regularly, and also to be able to demonstrate compliance to the state's attorney general upon request.

It's important for businesses and organizations to be aware of the requirements of Massachusetts 201 CMR 17.00, and to take appropriate steps to comply with the regulation, in order to protect the personal information of Massachusetts residents and avoid potential penalties for non-compliance.

Ref:

201 CMR 17.00: Standards for the Protection of Personal Information of MA Residents | Mass.gov

Photo of Boston

Massachusetts 201 CMR 17.00