Jump to content

Massachusetts Privacy Law (201 CMR 17)

Protecting the Personal Information of Massachusetts Residents

Learn about WhatsUp Log Management for security & compliance

If you do business with residents of Massachusetts or have employees that reside in Massachusetts, you must comply with the MA Privacy Law.
Personal information (PI) is defined as a Massachusetts resident's name in combination with one of the following:
  • Social Security number
  • Driver's license number or state-issued identification card number
  • Financial account number or credit/debit card number


Massachusetts Privacy Law (201 CMR 17.00)STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH 17.04: Computer System Security Requirements See how WhatsUp Gold can help:

(1) Secure user authentication protocols including:
(a) control of user IDs and other identifiers;
(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
(d) restricting access to active users and active user accounts only; and
(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

(2) Secure access control measures that:
(a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
(b) assign unique identifications plus passwords, which are not vendor-supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

WhatsUp Log Management Suite provides real-time alerting and point-and-click reporting capabilities on complete audit trails of access to and manipulation of PI records, so you can quickly identify security threats such as logon failures or multiple unsuccessful attempts. Here are the recommended list of reports to comply with Massachusetts Privacy Law:

  • Account Management – Success/Failure
  • Directory Service Access - Success/Failure
  • Object Access Attempts – Success/Failure
  • Object Deletions
  • Group Management
  • Password Reset Attempts by Users
  • Password Reset Attempts by Administrators or Account Operators
  • Computer Account Management
  • Directory Service Access Attempts
  • Logon Failures – Active Directory
  • Logon Failures – Local Logons
  • User Activity in Auditing Categories
  • Successful Network Logons – Workstations and Servers
  • User Account Lockouts

(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;

WhatsUp Log Management Suite provides:

  • Real-time monitoring and detection of key events (e.g Object Access Attempts – Success/Failure, Object Deletions or User Account Lockouts for systems containing personal information)
  • Support for routine log review activities
  • Detailed forensic analysis to support breach investigations

(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

WhatsConnected automatically discovers, maps and inventories layer 2 connectivity, and asset inventory and configuration information (e.g. installed software and applications, Operating System details, patch information, etc.) across your entire network in minutes. With WhatsConnected, you will:

  • Know where systems containing PI records are located, and their layer 2 topology connections
  • Get a detailed inventory of systems containing PI records to ensure they have the proper operating system security patches
  • Document compliance with 201 CMR 17.00 requirements for operating system security patches

I already comply with HIPAA. Must I comply with 201 CMR 17.00 as well?
Yes. If you own or license personal information about a resident of the Commonwealth, you must comply with 201 CMR 17.00, even if you already comply with HIPAA.

What is the extent of my "monitoring" obligation?
The monitoring that you put in place must be such that it is reasonably likely to reveal unauthorized access or use.

What are the penalties for non-compliance?
The penalties for non-compliance with 201 CMR 17 are enforced through Massachusetts General Law Title XV: Regulation of Trade, chapter 93A, section 4. Violators may be faced with a civil penalty of $5,000 for each violation, are required to pay the reasonable costs of investigation and litigation of such violation (including reasonable attorney’s fees), and are subject to additional civil action since 201 CMR 17 creates a baseline standard that allows plaintiffs in civil suits to argue that a business that lost data was negligent. Title XV also requires any data breach be reported to both the Office of Consumer Affairs and Business Regulation (OCABR) and the Attorney General.

Do you have a checklist to help me comply with 201 CMR 17?
You can find a detailed checklist here, but here are some quick guidelines to help you get started:

  • Document a written information security program ("WISP") applicable to all records containing personal information about a resident of the Commonwealth of Massachusetts ("PI")
  • Document any actions taken in connection with any breach of security; and does that procedure require post-incident review of events and actions taken to improve security
  • Assign unique identifications plus passwords (which are not vendor-supplied default passwords) to each person with computer access; and are those IDs and passwords reasonably designed to maintain the security of those access controls
  • Limit access to PI records limited to those persons who have a "need to know‟ in connection with your legitimate business purposes, or in order to comply with state or federal regulations
  • Encrypt all PI records and files that are transmitted across public networks, and that are to be transmitted wirelessly
  • Encrypt all PI stored on laptops or other portable devices
  • Deploy a log management solution for security and compliance to alert you to the occurrence of unauthorized use of or access to PI
  • Ensure and document that any system connected to the Internet has up-to-date firewall protection for files containing PI; and operating system security patches to maintain the integrity of the PI
  • Deploy system security agent software (including malware protection) and reasonably up-to-date security patches and virus definitions
  • Establish training for employees on the proper use of your computer security system, and the importance of PI security
  • Establish a procedure for regularly monitoring to ensure that the WISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of PI; and for upgrading it as necessary
  • Review your security measures at least annually, or whenever there is a material change in business practices that may affect the security or integrity of PI records