201 CMR 17.00

The Massachusetts General Law Chapter 93H and its new regulations 201 CMR 17.00 require that any companies or persons who store or use personal information (PI) about a Massachusetts resident develop a written, regularly audited plan to protect personal information. Both electronic and paper records will need to comply with the new law. The regulations went into effect on March 1, 2010. The law was originally supposed to go into effect on January 1, 2009, but then was pushed to May 1 and then January 1, 2010, and then to March 1, 2010, due to the state of the economy and confusion about the law.

Identity theft and fraud are the major concerns at the core of the implementation of the 201 CMR 17.00. For example, if a Massachusetts resident's information is leaked or captured, there could be serious consequences for the business that allowed the breach and for the individual whose information was leaked. Therefore, making changes to keep residents' information secure will be required to avoid security breach and fines.

According to the regulations, companies will need a written security plan to safeguard their contacts' or employees personal information. It will need to be illustrative of policies that demonstrate technical, physical, and administrative protection for residents’ information. The plan will need to be written to meet industry standards. Companies will have to designate employees to oversee and manage security procedures in the workplace, as well as continuously monitor and address security hazards. Policies addressing employee access to and transportation of personal information will need to be developed, as well as disciplinary measures for employees who do not conform to the new regulations. Limiting the collection of data to the minimum that is needed for the purpose it will be used for is also part of the new regulations.