201 CMR 17.00 FAQ’s

Below are a list of frequently asked questions about Massachusetts Personal Information Protection regulation 201 CMR 17.00.  If you haven’t started taking steps towards compliance you’re way past the deadline for implementation of an data breach protection program.

Hopefully the answers to these questions will give you a head start on the road to compliance. If you need assistance please contact us here.

  • What is a CMR?
    The Code of Massachusetts Regulations (CMR) contains regulations announced by state agencies. Regulations form part of the body of administrative law, along with administrative orders and decisions. Regulations have the force and effect of laws, similar to statutes.
  • What are the differences between the current version of 201 CMR 17.00 and the version issued in February of 2009?

    There are some important differences in the two versions.

    First, the most recent regulation issued in August of 2009 makes clear that the rule adopts a risk-based approach to information security, consistent with both the enabling legislation and applicable federal law, especially the FTC’s Safeguards Rule. A risk-based approach is one that directs a business to establish a written security program that takes into account the particular business’ size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security. It differs from an approach that mandates every component of a program and requires its adoption regardless of size and the nature of the business and the amount of information that requires security. This clarification of the risk based approach is especially important to those small businesses that do not handle or store large amounts of personal information.

    Second, a number of specific provisions required to be included in a business’s written information security program have been removed from the regulation and will be used as a form of guidance only.

    Third, the encryption requirement has been tailored to be technology neutral and technical feasibility has been applied to all computer security requirements.

    Fourth, the third party vendor requirements have been changed to be consistent with Federal law.

  • To whom does this regulation apply?
    The regulation applies to those engaged in commerce. More specifically, the regulation applies to those who collect and retain personal information in connection with the provision of goods and services or for the purposes of employment.
  • Aside from credit card information, where is Personal Information located?

    Personal Information will frequently be included in financial records, employee and possibly candidate HR files, college and private school student files, patient data, and certain consumer-related files.

  • Must my data security program be in writing?
    Yes, your information security program must be in writing. The scope and complexity of the document will vary depending on your resources, and the type of personal information you are storing or maintaining. But, everyone who stores or maintains personal information must have a written plan detailing the measures adopted to safeguard such information.
  • If I have independent contractors working for me, am I responsible for them?
    You have the duty to take all reasonable steps (1) to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.00; and (2) to ensure that such third party service provider is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR 17.00.
  • Do I have to do an inventory of all my paper and electronic records?
    No, you do not have to inventory your records. However, you do need to identify which of your records contain personal information so that you can handle and protect that information in a manner that complies with the regulations. Most small companies already know which files contain this kind of information, and can quickly determine where in the company’s paper and electronic systems this information exists.
  • My business does not handle consumer data. Are we still required to comply with these Regulations?
    Yes, the Regulations are designed to protect Personal Information, which encompasses data beyond consumer information. For example, your Human Resources data likely falls into this category, if you have Massachusetts employees.
  • How do I know if my current computer system complies with the encryption requirements?
    You are probably going to need outside help in figuring this out, unless you have in-house IT staff or already retain the services of a consultant to help with IT matters. Although the definition of encryption is technology neutral, you do need to make sure that the encryption process you are using is transforming the data so that it cannot be understood without the use of a confidential key or process. Free encryption software is available, but unless you are computer savvy, you are going to need an outside IT consultant to help with setup (unless, of course, you have your own IT staff).
  • Is everyone’s level of compliance going to be judged by the same standard?
    Both the statute and the regulations specify that compliance is to be judged taking into account the size and scope of your business, the resources that you have available to you, the amount of data you store, and the need for confidentiality. This will be judged on a case by case basis.