Does My Business Need To Comply With 201 CMR 17.00?

All businesses and other legal entities that owns, licenses, stores or maintains personal information about a resident of the Commonwealth is required to develop, implement, maintain and monitor a comprehensive, information security program applicable to any records containing such personal information. Personal Information will frequently be included in payroll records, employee and candidate HR files, student files, patient data, and certain consumer-related files.

What is Personal Information?

Personal Information (PI) is defined as a Massachusetts resident’s first and last name, or first initial and last name, along with one or more of the following:

  • Social Security Number,
  • driver’s license number or state-issued identification card number,
  • financial account number, or
  • credit or debit card number.

How Do I Know If My Company Is Compliant?

  • Do you have a comprehensive, written information security program (“WISP”)?
  • Have you designated one or more employees to maintain and supervise WISP implementation and performance?
  • Have you identified the paper, electronic and other records, computing systems, and storage media, including laptops and portable devices that contain personal information?
  • Have you taken steps have you taken to identify and evaluate internal and external risks to paper and electronic records containing PI?
  • Do you have in place a procedure for documenting any actions taken in connection with any breach of security; and does that procedure require post-incident review of events and actions taken to improve security?
  • Do you have secure access control measures that restrict access, on a need-to-know basis, to PI records and files?
  • Do you encrypt all PI stored on laptops or other portable devices?
  • Do you have monitoring in place to alert you to the occurrence of unauthorized use of or access to PI?
  • Do you have reasonably up-to-date versions of system security agent software (including malware protection) and reasonably up-to-date security patches and virus definitions?
  • Do you have in place training for employees on the proper use of your computer security system, and the importance of PI security?



If you answered no to any of these questions, you’re not in compliance with Mass 201 CMR 17.00.  Since ALL companies need to be in compliance, no matter the size of the organization, you’re technically in violation of this law.  With the January 1, 2010 deadline long since past, TBG Security can help your organization get a jump start on the requirements to become compliant.  As a trusted advisor to your organization, TBG Security can guide you through the necessary actions to achieve compliance by the deadline.


Get In Touch

Want to learn more about our penetration test services? We’re here to help.

Contact Us