The Massachusetts Data Security Law (201 CMR 17.00) safeguards the personal information of Massachusetts residents. The law went into effect on March 1, 2010, and at the time, was one of the most comprehensive data privacy laws passed in the United States.
Since the law’s passing, a variety of U.S. States have passed more robust data privacy legislation, including the notable California Consumer Privacy Act (CCPA) and Virginia Consumer Data Privacy Act (VCDPA). In many ways, Massachusetts’ early data security law was a precursor to these widely influential laws.
In early 2022, Massachusetts began work to pass an updated and more strict data privacy act named the Massachusetts Information Privacy and Security Act (MIPSA). The state government moved the new law to the state committee on Senate Ways and Means on January 3, 2023.
What Are the Objectives of the Massachusetts Data Security Law?
Massachusetts passed statute 201 CMR 17.00 to establish standards for the protection of personal information of residents:
The law possesses three main objectives to defend residents of the Commonwealth:
- Ensure the confidentiality of personal information
- Protect the integrity and security of personal information
- Protect personal information from unauthorized access
The law places strict compliance regulations and data privacy obligations on data controllers and processors to achieve these three objectives.
Who Must Comply With 201 CMR 17.00?
The Massachusetts Data Security Law requires compliance from many organizations, including any business that receives, stores, or otherwise processes the personal information of Massachusetts residents in connection with the sale of goods or services. The law also regulates companies that obtain personal information in an employment context.
Note: The scope of 201 CMR 17.00 extends to businesses operating in Massachusetts and those outside the state that process the personal information of Massachusetts residents.
What is Personal Information?
Massachusetts law 201 CMR 17.00 defines personal information as any piece of information that includes a person’s first and last name (or first initial and last name) and any one of the following:
- Social security number
- Driver’s license number or state-issued identification number
- Financial account number (bank account, credit or debit card, etc.)
Under the law, personal information does not include any information lawfully obtained from public, state, or federal government records. The law also excludes information that is explicitly considered public knowledge.
According to Massachusetts law, businesses that only use credit card swiping technology and batch out data per state and federal standards do not own or license personal information.
Note: The definition of personal information used by 201 CMR 17.00 comes from Massachusetts General Law (M.G.L) Chapter 93H. Other privacy laws around the United States have stricter definitions of public information. Businesses should be careful when considering if they qualify for an exemption from any data privacy law, for they may be required to comply with another overlapping law.
Requirements of the Massachusetts Data Security Law (201 CMR 17.00)
The standards set forth by 201 CMR 17.00 require organizations that collect or process the personal information of Massachusetts residents to:
- Develop a written information security program (WISP) that includes a computer security system
- Designate at least one employee to maintain the WISP and its security policies
- Conduct risk assessments and install improvements to safeguard personal data
- Take disciplinary measures and reasonable steps to penalize employees who violate the WISP
- Develop security measures to improve the data protection of personal information
- Document any breach of security or data leak and the process that the organization took to respond to such events
Note: Safeguards included within an organization’s WISP must be consistent with other state or federal regulations the organization is subject to (HIPAA, GLBA, FERPA, etc.). In other words, small businesses that do not process large amounts of protected information are not subject to the exact requirements as entities with a more considerable amount of resources.
Computer System Security Requirements
Massachusetts regulations command businesses to fortify their computer security system with industry standards for data privacy when technically feasible.
These standards must include:
- Control of all user identifiers and passwords for authentication purposes
- Strict lock-out procedures for inactive users or failed log-in attempts
- Access limitations or controls for persons who are reasonably required to interact with personal data or such information
- Up-to-date firewall protection and operating system to prevent data breaches
- Security patches for systems connected to the Internet
- Up-to-date versions of system security agent software (malware protection and virus definitions)
- Encryption protocols to anonymize any personal information that an organization shares over a public network
- Employee education and training protocols
Encryption Protocols Under 201 CMR 17.00
Encryption is the most significant protocol required by the Massachusetts Data Security Law. Under the law, organizations must encrypt all records or files that will or will likely be transmitted wirelessly or across a public network. Organizations must also encrypt all personal data stored on a laptop or portable device.
Unlike some other privacy laws, Massachusetts requires ALL personal information to be encrypted even if storage devices do not leave business premises.
Definition of Encrypted (201 CMR 17.00)
Massachusetts law defines encryption as transforming data into a form that cannot be reasonably assigned to an individual without using a key or password. The organization must also alter the data into an unreadable format to meet the standards of the law. Password protection alone does not equal compliance.
Businesses must also consider ways to prevent identity theft. Under the law’s reasonable standard of care, personal data should not be communicated by unprotected means, such as email or SMS.
Contracts Between Businesses and Third-Party Service Providers
Under the law, all service providers must sign a contract that obligates them to comply with the Massachusetts Data Security Law standards. Organizations must also do their due diligence when selecting third-party vendors to assist their businesses.
Enforcement of 201 CMR 17.00
The Massachusetts Data Security Law appoints the Massachusetts Attorney General to carry out all enforcement action. The Attorney General’s office will notify any entity that violates the law and enforce a strict compliance deadline. Businesses that do not comply after being notified of a violation of the law will likely incur civil penalties of up to $5,000 per affected individual.
How Can UpGuard Help?
UpGuard’s Vendor Risk product empowers organizations to achieve compliance (201 CMR 17.00, MHMDA, VCDPA, CCPA, GDPR, etc.)across their supply chain. The technology also allows organizations to automate vendor compliance risk assessments and receive real-time updates to their security posture.
UpGuard’s BreachSight enables organizations to take complete control over their data-handling program. The product allows businesses to proactively monitor their attack surface, gain confidence in their cybersecurity protections, and establish best practices in line with 201 CMR 17.00 or any other compliance regulation.
Note: Organizations can read additional Massachusetts Data Security Law information on Mass.gov. The Commonwealth of Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has also published several FAQs on the subject.
