Massachusetts 201 CMR 17 Compliance – Standards for the Protection of Personal Information of Residents of the Commonwealth

Organizations of all kinds, both in Massachusetts and out, are required to comply with Massachusetts Regulation 201 CMR 17. The regulation applies to “all persons that own, license, store, or maintain personal information about a resident of Massachusetts” and requires organizations to meet certain minimum safeguarding standards.

The 201 CMR 17 regulation requires organizations to have a Written Information Security Program (WISP) that describes how the organization implements the required administrative and technical controls defined in the regulation.

At a minimum, the WISP needs to describe:

  • Who is responsible for the program
  • What is the scope of coverage for the program (e.g., records, systems, staff, facilities)
  • How you identify and evaluate internal and external risks
  • How you assess existing safeguards and treat risks
  • That you maintain a documented set of security policies, standards, and procedures
  • That your staff is trained on and is aware of security practices and the disciplinary requirements associated with non-compliance
  • That you control the granting and termination of access to protected information, based on least privilege and need to know
  • That you take steps to initially verify the security practices of third party service providers before contractually engaging them
  • That you require third party service providers to implement and maintain appropriate security controls
  • That you only keep the minimum data for the minimum time necessary
  • That you store and encrypt data appropriately
  • That you maintain the configuration and software on systems and networks where protected information stored, processed, or transmitted
  • That you monitor activities to prevent unauthorized access to protected information
  • That you have an incident management program that includes learning from incidents

This list may seem daunting. SystemExperts can help.

If you are an organization with some compliance experience, or none at all, SystemExperts can help you build a security program that complies with the Massachusetts regulation(or any other state law on data protection). Not only will it improve your overall company security, it will help prepare you for the inevitable series of regulations that will follow.

With its broad experience in compliance with other similar regulations like HIPAA, the PCI Data Security Standard, Sarbanes-Oxley, Gramm-Leach-Bliley, and the FTC’s Red Flag Rules, SystemExperts can help you develop a security program that fits the needs of your organization by:

  • Assessing the current state of your compliance with the regulation
  • Recommending cost effective controls to meet the requirements of the regulation
  • Assisting in developing a Written Information Security Program (WISP)

Contact SystemExperts to request a free and confidential consultation about complying with state data protection regulations.