Massachusetts regulation 201 CMR 17.00: Standards For The Protection of Personal Information of Residents of the Commonwealth, is one of the broadest data protection laws in the country. What’s more, it affects nearly every company that conducts business or that has customers in the Commonwealth.

As it is now nearly two months since the deadline for compliance passed, I thought it would be useful to do a quick review of what the regulation is, what it means for established and new businesses, and to offer Anteris clients and other readers an opportunity to share their experiences in dealing with the new regulation.

201 CMR 17.00: What is it?

201 CMR 17.00 is a regulation governing the protection of personal information for residents of the Commonwealth of Massachusetts that went into effect on March 1, 2010. It applies “to all persons that own or license personal information about a resident of the Commonwealth” and defines personal information as:

• A persons first and last name - OR - first initial and last name
  - AND -
• One or more of the following data elements that relate to such resident

1. Social Security number;
2. driver's license number or state-issued identification card number;
3. financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account

The regulation covers all records containing personal information, including both electronic data and paper records. It is also important to note that it applies to both data at rest and data in transit.

To whom does it apply?

It’s common to think of sensitive, personal information as being associated with customer records, financial transactions, etc. but as it’s defined in MA 201 CMR 17, personal information is kept and managed by any business that has employees (names and Social Security Numbers). Only municipalities are exempt from the regulation.

What does the regulation require?

In a nutshell, 201 CMR 17 requires businesses to have a written, comprehensive information security program, sometimes called a WISP and to take reasonable measures to protect personal information. The WISP is critical and specific things it should include are outlined in the regulation. It’s important to realize too, that protecting personal information is as much about business practices and administrative controls as it is about technical safeguards. Examples include, training employees, physically protecting paper documents, encrypting electronic records and e-mail, properly selecting and assigning user accounts and passwords, controlling access to fax machines, etc.

What has your business done to achieve compliance?

If the answer is “nothing” there are a number of things you should do:

1. Read the regulation. It’s only four pages.
2. Assess what personal information your business maintains
3. Conduct a risk assessment to determine the likelihood of experiencing a data breach and the impact it would have (be sure to account for fines, damage to your reputation, etc.)
4. Assess your current practices and level of compliance
5. Develop a written, comprehensive information security program (WISP)
6. Implement (it may be necessary to work with professional service providers such as lawyers, technology partners, etc.)
7. Conduct an internal audit to ensure your compliance objectives are met

If your business has implemented compliance measures for MA 201 CMR 17, we’d love to hear about your experiences. Just post a comment below. If you have any questions or want to share your thoughts on the regulation or about information security in general, please feel free to post as well.

It should be noted that this is not a comprehensive discussion of the new regulation and Anteris cannot provide legal advice. For a legal interpretation of 201 CMR 17 or legal advice related to your specific business, please contact an attorney.