<img src="https://secure.seem3pick.com/198073.png" style="display:none;">

Massachusetts Businesses: Are You In Compliance?

Posted by Cathie Briggette on Fri, Jul 17, 2009



Do you have all the information you may need to become compliant with the new Massachusetts Regulation 201 CMR 17.00?

This regulation is inherent to Massachusetts General Law 93H (MGL 93H).  This law was written to define the security breaches and regulations for safeguarding the personal information of any Commonwealth of Massachusetts resident.  This regulation implements the provisions of the law and describes what you need to have in place in your company in order to be compliant.

Why was 93H created?  Why 201 CMR 17.00?

Broken Lock The Department of Consumer Affairs and Business Regluations issued this law and these regulations in response to the following data breaches:

  • TJ Max (TJX ), January 17, 2007: Affected about 100 million account numbers. They were hacked several different ways - through wireless connections and kiosks
  • Hannaford Supermarkets, between Dec. 7, 2007 and Mar 10, 2008:   More than 4 million card numbers were exposed, and by the time   Hannaford publicly announced the breach, on March 17, 2008, about    1,800 fraudulent charges had been made.
  • Other Security Threats: Malware, viruses.
In response, M.G.L. Chapter 93H was enacted in November, 2007. Within the first 10 months after enactment of M.G.L. Chapter 93H, the office of Consumer Affairs and Business Regulation received 318 notifications of security breaches.   
  • 10 involved data that was encrypted
  • 69 involved data that was password protected
  • Total MA residents affected was 625,365 
  1. 60% were due to stolen laptops or hard-drives and 40% were employee error or sloppy internal handling.
  2. 75% were in the financial services sector.  

 Massachusetts then took the lead in passing a new regulation - 201 CMR 17.00 - that required companies to implement a comprehensive data security plan that incuded encryption of all computer systems with personal information of a Massachusetts resident. 

What Does This Mean to Your Business? 

  Blackberry_Computer It means that the Commonwealth of Massachusetts is setting minimum standards for the protection of personal information, whether that information is stored in electronic or paper format.  It means that if your company owns, licenses, stores or maintains personal information about a Massachusetts resident You MUST take steps to comply with this new regulation.

What is Personal Information?

  Confidential Files According to 201 CRM 17.00, personal information is defined as the First Name or First Initial, Last Name and any one or more of the following information:
  • Social Security Number Credit Card or Debit Card Number
  • State ID Card Bank or Financial Account Number Drivers
  • License Number
  • If you accept credit cards, you have the imprint of the card or the data from the magnetic strip. This information falls in the above catagory. You MUST take steps to comply.
 If you are a business located in Massachusetts or you have employees who reside in Massachusetts and you have copies of driver's licenses, employment applications, personnel files or payroll information on those employees, you MUST take steps to comply.

What Do You Need To Do? 

Establish and Maintain a security program to all who have access to personal information with the following Elements:

Computer System Security Requirements 


  1. Control of user IDs and passwords
  2. Secure method of assigning and selecting passwords
  3. Assign unique identifications plus passwords which are not default passwords
  4. Block access after multiple unsuccessful attempts to computers and servers holding the personal information
  5. Restrict access to inactive accounts
  6. Restrict access to files, to those that need acces to perform their job duties

Transmission of personal information

  1. Encryption of all transmitted rocords and files containing personal information that travels across public networks
  2. Encryption of all wireless networks

Encryption of portable devices

  1. Personal information stored on laptops and other portable devices must be encrypted

Staying Up-To-Date

  1. Make sure all computer and servers that hold personal information stay up to date on:
    1. Operating system patches
    2. Firewall software
    3. Antivirus software set to receive most current updates on a regular basis
    4. Antivirus software must include malware protection

Training and Monitoring

  1. Education and training of employees on the proper use of the computer security system and the importance of personal information security
  2. Reasonable monitoring of systems for unauthorized use or access to personal information 

Written Information Security Program (WISP)

  1.  Dsignate 1 or more persons to maintain the program
  2. Identify risks and evaluate safegaurds
  3. Develop security posicies for employees that work outside the office
  4. Impose disciplinary measures for program violations
  5. Prevent terminated employees from accessing personal information
  6. Make sure that third-party service providers have an information Security program that is compliant
  7. Limit the amount of personal information collected, the time it is retained and access to it
  8. Identify system used to store personal information
  9. Restrict physical access to records
  10. Regularly monitor the program once it is in place
  11. Review the scope of security measures at least annually or when there is a change in business practices
  12. Document responsive actions taken in a security breach incident

Tags: 201CMR17.00

Subscribe to our BLOG

Recent Posts