Masthead web

Massachusetts 201 CMR 17.00

Solutions - Start HereStart Here Graphic

Developing a legally defensible and technically sound Comprehensive Written Information Security Program (WISP) requires a multidisciplinary team approach. Basically, compliance with information security laws is ultimately a question of legal compliance. An experienced lawyer who can communicate on a technical level with in-house and outside technical vendors is invaluable. Information security laws like Massachusetts' 201 CMR 17.00, require covered entities to demonstrate compliance with a "written" information security plan.  It makes sense from the start to design a comprehensive and legally defensible written plan.  Moreover, written identity theft prevention programs need to be coordinated with other overlapping information security and records management requirements, including the FTC Red Flags Rule, the PCI/DSS credit card industry rules and the organization's Document Retention/Destruction Policy. Another reason for early involvement of the legal component of the solution is that 201 CMR 17.00 requires employee training and updates to Human Resources (HR) procedures and employee manuals.

Highlights of Re-Amended 201 CMR 17.00 Regulations (August 2009)

The August amendments contain a substantial shift to a "risk based" approach requiring "reasonable steps."  The current requirements take into account the size, scope of business, available resources and other factors concerning a particular business organization.  The thrust of the shift is from prescriptive requirements to descriptive guidelines.

Encryption requirements in the prior regulations prompted pushback from business and the computer industry.  The 128-bit encryption standard has been changed to a concept of "technical feasibility" to be applied to computer security requirements.  Laptop computers are still required to have encryption because it is seen as technically feasible. Because other portable devices have inconsistent security capabilities the prescription for such devices will be measured on a case by case basis.

Written Information Security Programs (WISP) are still required and the apparent intent of the new regulations is not to weaken the consumer protection aspects of the law. M.G.L. c. 93H.

The August 2009 regulations are compared to the earlier version below in "redline" format.  You can find a copy of the August regulations here.  Note, the regulations were finalized in October and contain additional changes.  Read more...

For more information, the MA Office of Consumer and Business Regulation (OCABR) has published a FAQ sheet.  See OCABR FAQ...



17.01: Purpose and Scope 

17.02: Definitions 

17.03: Duty to Protect and Standards for Protecting Personal Information 

17.04: Computer System Security Requirements  

17.05: Compliance Deadline


17.01 Purpose and Scope 

(1) Purpose 

This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own,  or license, store or maintain personal information about a resident of the Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records.  Further purposes The objectives of this regulation are to (i) ensureinsure the security and confidentiality of suchcustomer information in a manner fully consistent with industry standards, (ii); protect against anticipated threats or hazards to the security or integrity of such information,; and (iii) protect against unauthorized access to or use of such information in a manner that creates a may result in substantial risk of identity theftharm or fraud against such residentsinconvenience to any consumer

(2) Scope 

The provisions of this regulation apply to all persons that own,  or license, store or maintain personal information about a resident of the Commonwealth. 


17.02: Definitions 

The following words as used herein shall, unless the context requires otherwise, have the following meanings: 

Breach of security, the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure. 

Electronic, relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities. 

Encrypted, the transformation of data through the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key, unless further defined by regulation by the Office of Consumer Affairs and Business Regulation. 

Owns or licenses, receives, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.

Person, a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof. 

Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. 

Record or Records, any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.

Service provider, any person that receives, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation; provided, however, that “Service provider” shall not include the U.S. Postal Service.


17.03: Duty to Protect and Standards for Protecting Personal Information 

(1) Every person that owns,  or licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, and maintain and monitor a comprehensive, written information security program applicablethat is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to any records containing such (a) the size, scope and type of business of the person obligated to safeguard the personal information.  Such  under such comprehensive information security program shall be reasonably consistent with industry standards, and shall contain administrative, technical, and physical safeguards to ensure the ; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of such records.  Moreover,

theboth consumer and employee information. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a

similar character set forth in any state or federal regulations by which the person who owns,  or licenses, stores or maintains such information may be regulated.      (2)  Whether the comprehensive information security program is in compliance with these regulations for the protection of personal information, whether pursuant to section 17.03 or 17.04 hereof, shall be evaluated taking into account:   (a) the size, scope and type of business of the person obligated to    safeguard the personal information under such comprehensive     information security program;    (b) the amount of resources available to such person;    (c) the amount of stored data; and    (d) the need for security and confidentiality of both consumer and    employee information.    (3)

(2) Without limiting the generality of the foregoing, every comprehensive information security program shall include, but shall not be limited to:   1.

(a) Designating one or more employees to maintain the comprehensive information security program;  2.

(b) Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to:  a

1. ongoing employee (including temporary and contract employee) training;  b

2. employee compliance with policies and procedures; and c

3. means for detecting and preventing security system failures.  3.

(c) Developing security policies for employees that take into account whether and how employees should be allowedrelating to keepthe storage, access and transporttransportation of records containing personal information outside of business premises.   4.

(d) Imposing disciplinary measures for violations of the comprehensive information security program rules. 

5.(e) Preventing terminated employees from accessing records containing personal information

(f)  Oversee service providers, by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names.   6

1. Taking all reasonable steps to verify that any select and retain third-party service provider with access to personal information has the capacity to providers that are capable of maintaining appropriate security measures to protect such personal information in the manner provided for in 201 CMR 17.00; and taking all reasonable steps to ensure that consistent with these regulations and any applicable federal regulations; and 

2. Requiring such third-party service provider is applying to such personal information providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that any contract a person has entered into with a third party service provider prior to March 1, 2012, shall be deemed to be in compliance herewith, notwithstanding the absence in any such contract of a requirement that the service provider maintain such protective security measures at least, so long as stringent as those required to be applied to personal information under 201 CMR 17.00.  7.  Limiting the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected; limiting the time such information is retained to that reasonably necessary to accomplish such purpose; and limiting access to those persons who are reasonably required to know such information in order to accomplish such purpose or to comply with state or federal record retention requirements.  8. Identifying paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to determine which records contain personal information, except where the comprehensive information security program provides for the handling of all records as if they all contained personal information.  9.contract was entered into before March 1, 2010.

(g) Reasonable restrictions upon physical access to records containing personal information, including a written procedure that sets forth the manner in which physical access to such records is restricted;,, and storage of such records and data in locked facilities, storage areas or containers.   10.

(h) Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.    


(i) Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.     12.

(j) Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.        


17.04: Computer System Security Requirements 

Every person that owns,  or licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its

written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements: 

(1) Secure user authentication protocols including: 

(a) control of user IDs and other identifiers; 

(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; 

(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; 

(d) restricting access to active users and active user accounts only; and 

(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system; 

(2) Secure access control measures that: 

(a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and 

(b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls; 

(3) To the extent technically feasible, encryptionEncryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly. 

(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information; 

(5) Encryption of all personal information stored on laptops or other portable devices; 

(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information. 

(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. 

(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security. 


17.05: Effective Date   Compliance Deadline

(1)Every person who owns,  or licenses, stores or maintains personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before  JanuaryMarch 1, 2010. 



: 201 CMR 17.00: M.G.L. c. 93H

For more information about our Information Security Consulting Practice please contact Steve O’Neill at or toll-free 888-766-3455.

Information Security
Consulting Services Available

  • Fully Confidential Advice

  • Development of Legally Defensible Written Information Security Programs (WISP)

  • FTC "Red Flags" Rule learn more

  • Data Breach Response Plans

  • HR Policy Revisions

  • Employee Training

  • PCI/DSS Credit Card Industry Rules

  • Solutions coordinated with Document Retention / Destruction Policies

  • Compliant Email Retention Policies

Professional Partners

  • Network Systems Security Consultants

  • Electronic Storage Systems Consultants

  • Professional Records Managers

  • Computer Forensics Consultants