Massachusetts Personal Information Assessment (MPICA)- What Does It Include?

What you can expect from this Assessment

  • Overview of the process we used to perform the evaluation
  • Results of the assessment
  • Recommended solutions for ensuring compliance
  • Quotes and relative information for your specific situation regarding a process for being in compliance

This assessment will help your company:

  • Ensure security and confidentiality of information consistent with industry standards
  • Protect against anticipated threats or hazards to the security or integrity of information
  • Protect against unauthorized access to or use of such information

Help for new Massachusetts Law (MGL) 93H Regulation 201CMR17.00 - Securing And Protecting Personal Information 

As a result of the new regulations instituted by the state of Massachusetts concerning the protection of personal information of state residents, NSK has developed a system to get businesses into compliance with the computer system security requirements of the regulation. (The regulation can be viewed here.)

Please note that the regulation includes 3 areas:

1. Computer System Security Requirements,

2. Written Information Security Program

3. Education and Training of employees.

NSK is focusing only on the Computer System Security Requirements; however, we can provide you with assistance and/or contact information for companies that can help you with the other sections of the regulation

The assessment provides a detailed report, explaining what your company will have to do in order to become compliant with the Computer System Security Requirements detailed in the regulation. Once your company has the results of the report, you can choose when and how to carry out the projects. The assessment will evaluate the following items:


NSK will use a software package to actively scan and find personal information on your network. We will install the software on a server, and use information we gather from you and your IT staff to determine which laptops and desktops need to be scanned. We can scan all servers, desktops, laptops and locate personal information and report on its location.

For large organizations we can spot check for false positives. Once Personal information is identified we can work with you to ensure accordance with the regulations.


A large part of the regulation is focused on user access policy. NSK will perform an assessment of the user access policy currently in use at your organization and determine whether or not your current policies fall within the regulation. These policies include password strength, change frequency, access to personal information, username structure and retention and other IT specifics regarding the user access to personal information.


NSK will also evaluate the safeguards in place to protect your company from external threats such as malware, spyware, and viruses. Most organizations have some form of protection in place however are not sure how it is performing. We evaluate the health of the system and will make recommendations to ensure the maximum protection possible. We can confirm the system is: updating regularly, active on all production machines, and protecting your devices from all forms of external attack.


CMR17 has specific regulatory conditions regarding firewalls. NSK will
evaluate the health, age, strength and overall effectiveness of the firewall in

In the event that the firewall does not meet the needs of the organization or this regulation NSK will recommend one that does. As part of this process we also can check the general configuration of the firewall and insure that best practices are followed. Although this is NOT a vulnerability assessment MPICA is designed to ensure best practices are followed and risk is minimized or eliminated.


As part of the evaluation NSK will also work with you and your staff to assess the movement of personal information into and out of the company. By looking at common devices and policies surrounding them, we can make recommendations on how to ensure that your organization has mitigated its
risk from any form of breach through the use of mobile data storage and
other mobile technologies.


Lastly, as part of the MPICA assessment NSK will identify and evaluate the movement of personal information via email, ftp, and wireless technologies. CMR17 is specific with regard the need for encryption of data transfer containing personal information, and our assessment is designed to identify this data and provide solutions allowing for both secure data transmission and ease of use. Wireless networks also fall under this category in that you need to ensure a strong reasonable encryption.

For help with becoming compliant with the new Massachusetts law, please fill out the contact form at the top left and someone from our team will contact you.

You can also reach us by phone at (617) 303-0480 or e-mail us at

 For more information about all the services that NSK Inc offers please Click Here