201 CMR 17.00 - Massachusetts Data Security Law

Overview

201 CMR 17.00 is one of the nation's most comprehensive state data security regulations, requiring all businesses that own or license personal information about Massachusetts residents to develop, implement, and maintain a comprehensive Written Information Security Program (WISP).

Who Must Comply

• Any business that owns or licenses personal information about a Massachusetts resident


• Applies regardless of where the business is located


• Personal information includes: first name + last name or initial + SSN, driver's license, or financial account number

Key Requirements

1. Written Information Security Program (WISP)

Every covered business must create and maintain a written document containing:

• Administrative, technical, and physical safeguards


• Risk assessments


• Employee training procedures


• Vendor management protocols

2. Required Security Measures

• Encryption: All personal information transmitted wirelessly or across public networks must be encrypted


• Secure user authentication: Strong passwords and access controls required


• Access restrictions: Limit access to personal information to those who need it


• Monitoring: Systems must be monitored for unauthorized access


• Encryption of stored data: Personal information on laptops and other portable devices must be encrypted


• Firewall protection: Up-to-date firewall protection required


• Security updates: Operating systems and security software must be kept current


• Employee training: Regular security training for all employees with access to personal information

3. Third-Party Service Provider Requirements

• Require third-party service providers by contract to implement and maintain appropriate security measures


• Conduct due diligence on service providers' security capabilities

4. Compliance Deadlines

• Effective March 1, 2010 (fully phased in by May 1, 2010)


• Ongoing compliance required

Penalties

• Enforcement by Massachusetts Attorney General


• Civil penalties up to $5,000 per violation


• Private right of action under M.G.L. c. 93A (unfair and deceptive practices)

Related Massachusetts Requirements

• Works in conjunction with M.G.L. c. 93H (Data Breach Notification Law)


• Complements Massachusetts Data Privacy Act (pending)

Implementation Guidance

1. Conduct risk assessment of personal information handling


2. Create Written Information Security Program (WISP)


3. Implement required technical safeguards (encryption, access controls)


4. Train employees on security procedures


5. Review and update vendor contracts


6. Regularly review and update security measures

Official Resources

• 201 CMR 17.00 Full Text


• MA AG Guidance