What is 201 CMR 17.00?
The law aims to achieve three primary goals to safeguard MA residents’ personal information:
- Establish minimum standards in connection with safeguarding of personal information contained in both paper and electronic records
- Ensure the security and confidentiality of personal data.
- Protect against threats or hazards to the security and unauthorized access to or use of consumer data that may harm the consumer
To achieve these objectives, organizations must adhere to strict compliance and data privacy regulations.
Who has to comply with 201 CMR 17.00?
Any organization that receives, stores or otherwise processes MA residents’ personal information must comply with 201 CMR 17.00. More simply put it applies to any business that operates within Massachusetts, employees a Massachusetts resident or receives checks or other payment information from a resident of Massachusetts.
What counts as personal information? A Massachusetts residents' first name and last name or first initial and last name in combination with any one or more of the following that relate to the MA resident:
- Social security number
- Driver’s license number or state issued identification card number; or
- Financial account number (credit and debit cards, bank accounts, etc.)
The regulation does not include any data acquired in a lawful manner from public records, state records, federal government records, or other information that is clearly recognized as public knowledge.
What are the requirements under 201 CMR 17.00?
The guidelines outlined in 201 CMR 17.00 necessitate various requirement for organizations handling the personal information of Massachusetts residents. Below is a brief summary of the requirements:
- Formulate a comprehensive written information security program (WISP) encompassing administrative, technical and physical safeguards for the protection of personal information (Check out our blog, "Does My Nonprofit Need a WISP?")
- Establish security protocols to enhance the protection of personal information
- Enforce disciplinary actions and appropriate measures against employees breaching the WISP
- Record any security breach or data leakage and detail the organization's response procedures to such incidents
- Undertake risk assessments and implement enhancements to fortify the security of personal data
- Appoint at least one employee to oversee and uphold the WISP and its security policies
CMR 17.00 also includes 8 Essential computer system security requirements
- Secure user authentication protocols. This includes data security passwords, biometrics, tokens, etc.
- Secure access control procedures. Procedures such as implementing access restrictions or controls for individuals requiring interaction with personal or relevant data, ensuring that vendors accessing personal data also have security measures in place.
- For any records or filed containing personal data being transmitted across public networks, wirelessly or similar methods, encryption is required. A common type of information that is typically transmitted is payroll and benefit data. What due diligence procedures have you performed to ensure your vendors have appropriate safeguards in place.
- Appropriate monitoring of systems, for unauthorized use of or access to personal information. This includes management of all user identifiers and authentication passwords as well as rigorous lock-out procedures for inactive users or unsuccessful login attempts, etc.
- Encryption of all personal information stored on laptops and other mobile devices. Mobile devices are often very convenient but the most susceptible to unauthorized access.
- Utilization of current firewall protection and operating systems to mitigate potential data breaches for systems that are connected to internet to ensure the organization is able to maintain the integrity of the personal information.
- Up-to-date versions of system security agent software, including malware protection and virus definitions, application of security patches for all systems connected to the Internet.
- Employee training and education procedures on importance of personal information security and proper use of the computer security system.
What is the penalty for noncompliance?
The Attorney General's office is tasked with notifying any entity found in violation of the law and imposing a strict compliance deadline. Businesses failing to adhere to the law after receiving notification of a violation may face civil penalties of up to $5,000 for each impacted individual. The potential penalties can threaten the sustainability of any organization and the investment in prevention and protection is in the best interest of the organization and the board members.