We help your organization comply with Massachusetts General Law 93H 201CMR17.00


NSK Inc. provides a compliance assessment service  MPICA™ (Massachusetts Personal Information Compliance Assessment) to organizations in Massachusetts required to comply with MGL Chapter 93H 201CMR17.00. This law concerns any Massachusetts organization that stores or maintains personal information about a Massachusetts resident, including employees.

MPICA™ provides a detailed report that explains what your organization will have to do in order to become compliant with the computer system security requirements detailed in 201CMR17. Once you have the results of the report, you can choose when and how to carry out the projects.

Please note that the regulation includes 3 areas: Computer System Security Requirements, a Written Information Security Program (WISP) and education and training of employees. NSK Inc. is focusing only on the computer system security requirements portion of the law. However, we can provide you with assistance and/or contact information of companies that can help you with the other sections of the regulation.

Are You Compliant?

For Legal Resources and help with MGL 93H 201CMR17, NSK Inc has been working with Burns and Levinson, LLP. If you have any legal questions regarding this new regulation please give them a call at: 617-345-3000.

Notifications Report – from the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR). Explains reasoning for the law being written

Your Timeline for Compliance – Map out what needs to be done in the next couple of months to become compliant with 93H 201CRM27.

Frequently Asked Questions Regarding MGL 93H 201 CMR 17.00 – Answered by the OCABR

Massachusetts Data Security Regulations: New Rules and Old Lessons – This is a PDF download of a presentation that was delivered by Barbara Anthony, Undersecretary of the Office of Consumer Affairs and Business Regulation to the Financial Services Committee early in November.

201 CMR 17.00 Compliance Checklist – The OCABR has compiled this checklist to help small businesses in their effort to comply with 201 CRM 17.00. This Checklist is not a substitute for compliance with 201 CRM 17.00. Rather, it is designed as a useful too to aid in the development of a written information security program for a small business or individual that handles “personal information.” Each item, presented in question form, highlights a feature of 201 CMR 17.00 that will require proactive attention in order for a plan to be compliant.


This regulation implements the provisions of MGL 93H relative to the standards to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records.

Further purposes are to:

  • To ensure security and confidentiality of information consistent with IT industry standards
  • To protect against anticipated threats or hazards to the security or to the integrity of information
  • To protect against unauthorized access to or use of such information

201CMR17.00 Standards for the Protection of Personal Information of Residents of the Commonwealth

What MPICA™  will Evaluate

Identification of personal information on computer systems and devices

NSK Inc will  actively scan your network and identify the location of personal information. We will scan your server, as well as user information we gather from you and your IT staff to determine which laptops and desktops need to be scanned. We scan all servers, desktops, laptops to identify personal information and report on its location.

For large organizations we can spot check for false positives. Once personal information is identified, we can work with you to ensure accordance with the regulations.

User access policies

A large part of the regulation is focused on a written information security policy.  NSK Inc. will perform an assessment of the security policy currently in use at your organization and determine whether or not your current policies fall within the regulation.

These policies include password strength, change frequency, access to personal information, username structure and retention, as well as other IT specifics regarding the user access to personal information.

Server and computer protection

NSK Inc. will evaluate the safeguards in place to protect your organization from external threats. We will ensure that precautionary measures are taken, such as malware protection, spyware protection and virus protection. Most organizations that have some form of virus protection in place are unsure of how well it is performing.

NSK Inc. will also evaluate the health of your system and make recommendations to ensure the maximum computer system protection. We will confirm the system is updating regularly, active on all production machines and protecting your devices from all forms of external attack.


201CMR17.00 has specific conditions regarding firewall protection. NSK Inc. will provide an IT evaluation regarding the health, age, strength and overall effectiveness of the firewall in place.

In the event that the firewall does not meet the needs of the organization or this regulation, we will recommend one that does. As part of this process we will also check the general firewall configuration and ensure that best practices are followed. Although this is NOT a vulnerability assessment, MPICA is designed to ensure that IT best practices are followed and security risks are minimized or eliminated.

Portable devices (PDAs, USB flash drives, backup tapes, laptops)

As part of the evaluation, we will work with you and your staff to assess the movement of personal information into and out of the organization. By looking at common IT devices and policies surrounding them, we can make IT security recommendations on how to ensure that your organization decreases its risk of security breach through the use of mobile data storage and other mobile technologies.

Electronic transmission of personal information and wireless networks

Lastly, as part of MPICA, NSK Inc. will identify and evaluate the movement of personal information via e-mail, FTP and wireless technologies.  201CMR17 specifically requires the need for encryption of data transfer containing personal information. Our IT security assessment is specially designed to identify this data and provide IT solutions for data security regarding transmission and ease of use. Wireless networks also fall under this category in that you need to ensure a strong, reasonable encryption.

What You Receive after  MPICA™

  • An Overview of the process we used to perform the evaluation
  • Assessment Results
  • Quotes and important information relevant to your specific situation regarding a process for being in compliance.
  • A recommendation of solutions for ensuring compliance

This assessment will help your company become compliant with the new Massachusetts Law regarding a Massachusetts residents; ensure security and confidentiality of information consistent with the industry standards; protection against anticipated threats or hazards to the security or integrity of your company information and information; and protection against unauthorized access to or use of such information.

Related Packages & Services

Thorough analysis, assessment and audit of your company’s IT security.

On-site support and management from our experts.