201 CMR 17 (Mass.)

201 CMR 17 (Mass. Privacy) Compliance

The Massachusetts Attorney General’s Office actively enforces the state’s privacy laws, 201 CRM 17.

Who Must Comply?

According to the law, any business, organization, or person that owns or licenses the personal information of a Massachusetts resident is subject to the law.

This applies to out-of-state entities in addition to local businesses.

What are the Requirements?

A comprehensive information security program must be developed, implemented, followed, and maintained.

The state considers the size of the business, amount of resources available, quantity of stored data, and expectations of confidentiality when determining if a program is sufficient.

Both technical and physical safeguards must be implemented.

Physical Safeguards

Information security plans are expected to include the following:

  • Risk assessment
  • Employee training program
  • Employee compliance policies and discipline measures
  • Policies for storing, accessing, and transporting records
  • Preventing terminated employees from accessing records
  • Overseeing third-party service providers
  • Documenting breeches
  • Locks and other physical access restrictions
  • Regular monitoring
  • Annual reviews

Technical Safeguards

  • Controlled user accounts that lock after failed logins
  • Secured passwords or unique identifiers
  • Restricting access to active user accounts
  • Access policy limits based on job duties
  • Encryption of stored and transmitted records
  • Monitoring for unauthorized access
  • Up-to-date firewall, antivirus, and security software

Massachusetts WISP: Written Information Security Program

Terminal can assist your business or organization develop a Written Information Security Program, known as a WISP, to help ensure you are meeting Massachusetts privacy standards.