Massachusetts’ Privacy Regulation 201 CMR 17.00

Young Male Government Employee Uses Laptop Computer in System Control Monitoring Center. In the Background His Coworkers at Their Workspaces with Many Displays Showing Technical Data.

Massachusetts’ Privacy Regulation 201 CMR 17.00

The objectives of this regulation are to ensure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.

This Massachusetts’ regulation is designed to establish minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records.

Contact Us

Let Us Help You Achieve Compliance

TBG Security consultants have been helping customers comply with State and Federal business and privacy regulations for more than a decade.

Working as either a full-service consultant, or as an adjunct to your in-house teams, TBG Security will execute our phased compliance readiness process to ensure that the business meets or exceeds your compliance requirements.

Services include:

  • Creating a comprehensive information security policy.
  • Performing an audit to determine current level of regulatory compliance.
  • Providing remediation for vulnerabilities detected on your systems.
  • Advising your company on specific steps needed to achieve compliance.
  • Deploying security infrastructure to encrypt email messages automatically.
  • Encrypting your company’s laptops and other mobile devices.
  • Securing your primary security infrastructure, including firewalls, VPN access, anti-phishing, and tools to protect against malicious code.
Businessman typing plan for next day late in office

What If I Don’t Comply?

A civil penalty of $5,000 USD may be levied for each violation of M.G.L. 93H, 201 CMR 17.00. In addition, under the portion of M.G.L. 93I concerning data disposal, businesses can be subject to a fine of up to $50,000 for each instance of improper disposal.

201 CMR 17.00 Cheatsheet

  • Regulation type: State and Federal standards
  • Governing body: The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR)
  • Standard: 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH (also known as the “Regulation”)
  • Purpose: Sets requirements for how a business, whether based in Massachusetts or not, must securely store personal information about a resident of Massachusetts.
  • Highlights: CMR 17.00 requirements include encrypting documents during storage and transmission, encrypting wirelessly transmitted data, and deploy up-to-date firewalls to create “an electronic gatekeeper” between the data store and the outside world, granting access to authorized users only.
  • Who must comply: EVERY company that licenses or stores personal information about a Massachusetts resident must comply with 201 CMR 17.00.

Want more information on Massachusetts regulation 201 CMR 17.00? We’re here to help.