skip to main content


Revised Massachusetts Regulations for the Protection of Personal Information Take Effect March 1, 2010

February 5, 2010

Authors: Catherine F. Intravia, Alison P. Baker

The Massachusetts Office of Consumer Affairs and Business Regulation has recently adopted and finalized regulations (201 CMR 17.00) for the protection of Personal Information of Massachusetts residents. The regulations, which now take effect March 1, 2010, have been modified significantly since they were first proposed.

Who must comply with the regulations?
Any person or business that owns, licenses, receives, stores, maintains, processes, or otherwise has access to Personal Information of Massachusetts residents must comply with the regulation. The regulation does not apply to municipalities or natural persons who are not in commerce.

What is “Personal Information”?
Personal information is a person’s first name (or initial) and last name coupled with the person’s Social Security number, driver’s license number, state-issued ID number, or financial account/credit/debit card number.

What does the regulation require?
Any person or business that has Personal Information of Massachusetts residents must create a comprehensive written information security plan (“WISP”) that is monitored and updated periodically. The WISP must describe the administrative, technical and physical safeguards implemented to protect the Personal Information contained in both paper and electronic records. In essence, the WISP must describe how the business or person is ensuring that Personal Information in its possession is being protected.

How does the current version of the regulation differ from previously issued versions?
The current version of the regulation adopts a risk-based approach to information security, rather than “one size fits all” rules. The regulation requires a business or person in possession of Personal Information to consider the size and scope of its business, the amount of resources, the nature and quantity of data collected and/or stored, and the need for security when creating a WISP and handling Personal Information. Therefore, compliance with the regulation will be assessed on a case-by-case basis.

Additionally, provisions relating to computer security must be implemented to the extent “technically feasible.” The term “technically feasible,” as noted in the FAQ’s published by the Office of Consumer Affairs and Business Regulation, means that if a reasonable means for accomplishing a result exists, it must be used. The consequence of this new qualifier is that some prior mandates, including the encryption of all Personal Information on portable devices, are now softened.

Is encryption required?
Portable devices that contain Personal Information must be encrypted where it is technically feasible to do so. In the regulation, encryption is defined as the transformation of data into a form in which the meaning cannot be assigned without the use of a confidential process or key. Password protection is not considered encryption.

What else must be included in the WISP?
There are a number of important measures that must be included in a WISP. For example, businesses and persons must ensure that any third-party service providers are contractually obligated to properly protect Personal Information; educate and train employees in the proper protection of Personal Information; assign passwords for all persons with computer access; and review security measures at least annually. A complete enumeration of all requirements is provided in the regulation.

Have questions or need assistance?
If you have any questions about compliance with relevant state and federal laws for the protection of Personal Information, or how to address a security breach, please contact Catherine Intravia at 860-251-5805.

Related File(s)

© Shipman & Goodwin LLP, 2019. All Rights Reserved.