Massachusetts Data Protection Law — jitai.co/security-assessment/ma-201-cmr-17
What Is MA 201 CMR 17 and Does Your Business Need to Comply?
MA 201 CMR 17 — formally titled “Standards for the Protection of Personal Information of Residents of the Commonwealth” — is a Massachusetts state regulation that requires any person or business that collects, stores, or handles personal information about Massachusetts residents to maintain a Written Information Security Program and implement specific security safeguards. There is no size exemption. A one-person firm with a single Massachusetts client faces the same requirements as a regional company.
Why This Matters
Massachusetts enacted one of the strictest data-protection regulations in the United States in 2010. Most businesses subject to it have never heard of it.
The regulation applies not just to Massachusetts-based companies but to any person or business, anywhere in the world, that handles personal information about Massachusetts residents. That means your firm is covered if it has Massachusetts customers, clients, patients, or employees — even if your office is in Rhode Island, California, or Texas.
Non-compliance is not a theoretical risk. The Massachusetts Attorney General actively enforces this regulation. Penalties reach $5,000 per violation. Breaches that occur without a documented security program create civil litigation exposure on top of regulatory penalties. And unlike many compliance frameworks, 201 CMR 17 has no size threshold — a one-person operation with a single Massachusetts client faces the same requirements as a regional firm.
This is educational content. Consult legal counsel for determinations specific to your business and situation.
Quick Answer
MA 201 CMR 17 requires any covered business to:
- 1Maintain a Written Information Security Program (WISP) -- a written document that describes the security program.
- 2Implement specific technical safeguards, including encryption of personal data on portable devices.
- 3Implement physical security controls over records and devices.
- 4Require vendors who handle personal data on your behalf to maintain their own appropriate security measures.
There is no size exemption. The regulation applies to businesses with one employee and businesses with thousands.
What the Regulation Covers
201 CMR 17 is designed to protect “personal information” of Massachusetts residents. The regulation defines personal information as:
A person’s first name or first initial AND last name, combined with ANY of:
- Social Security number
- Driver’s license number or state-issued ID number
- Financial account number — meaning a bank account number, or a credit or debit card number, with or without any required security code, access code, PIN, or password
If your business holds records that match this combination for any Massachusetts resident, the regulation applies to you.
Note: publicly available information and data that is encrypted and inaccessible to unauthorized users fall outside the definition. Verify the specific boundaries with legal counsel.
Who It Applies To
The regulation applies to any person who “owns or licenses personal information about a resident of the Commonwealth.” The reach is broader than most businesses expect:
- ✓Retail and e-commerce businesses serving Massachusetts customers
- ✓Professional service firms -- law, accounting, financial advising -- with Massachusetts clients
- ✓Healthcare providers and dental practices with Massachusetts patients
- ✓Employers with Massachusetts employees
- ✓Landlords collecting tenant financial information
- ✓Nonprofits holding donor or client records
- ✓Technology companies and SaaS providers processing data about MA residents
- ✓Out-of-state businesses serving MA residents online
If you collect a first name plus a last name plus any of the three data categories above for a Massachusetts resident, you are covered — regardless of where your business is physically located.
The one notable carveout: businesses subject to and in compliance with federal regulations that provide equivalent protection (for example, certain financial services firms under Gramm-Leach-Bliley) may satisfy 201 CMR 17 through that federal framework. Consult legal counsel to evaluate whether a specific federal framework satisfies your 201 CMR 17 obligations.
What the Written Information Security Program Must Include
The regulation (17.03) specifies the elements your WISP must address. A written program that omits required elements is not compliant even if the underlying practices are sound — the written record must match and cover them all.
The following is an educational summary of the required elements. For the authoritative text, see the official 201 CMR 17.00 regulation on mass.gov (opens in a new tab). Consult legal counsel for determinations specific to your situation.
- 1
Designated program owner
Identify and name one or more employees responsible for maintaining the security program. The regulation requires accountability -- the program must have an owner.
- 2
Risk assessment
Document a process for identifying internal and external risks to the personal information you hold. The regulation requires ongoing assessment, not a one-time review.
- 3
Employee training
Train employees who handle personal information and keep records of who was trained, what was covered, and when. Undocumented training is treated as no training.
- 4
Access controls
Define who may access personal information and under what conditions. Implement secure authentication, enforce least-privilege access, and revoke access promptly when roles change or employees leave.
- 5
Physical safeguards
Secure the physical locations where personal information is stored or processed: locked storage, controlled access to server areas, and clean-desk practices for records containing personal data.
- 6
Technical safeguards
Encrypt personal information stored on portable devices and laptops. Encrypt personal information transmitted over public networks. Maintain up-to-date security software and current patches. Use secure authentication protocols.
- 7
Service provider management
When vendors handle personal information on your behalf -- payroll, IT support, cloud hosting, accounting -- contracts must require those vendors to maintain appropriate security measures.
- 8
Incident response
Define what you do when a breach occurs or is suspected: who investigates, who is notified, and in what timeframe. Massachusetts breach-notification law sets specific deadlines that the WISP should reference.
- 9
Periodic review
Review and update the program at least annually and whenever there is a material change in your business practices, technology, or the employees responsible for security. A stale program is treated as a gap.
How 201 CMR 17 Relates to Other Frameworks
Many businesses already operate under HIPAA, PCI DSS, NIST, or SOC 2. Here is how each intersects with 201 CMR 17. This is an educational summary -- consult legal counsel to determine whether a specific framework satisfies your 201 CMR 17 obligations.
HIPAA
Covers protected health information. HIPAA compliance does not automatically satisfy 201 CMR 17. You still need a WISP for personal information outside the HIPAA definition.
PCI DSS
Addresses payment card data. PCI compliance addresses a subset of what 201 CMR 17 requires. You still need a WISP and the other required elements.
NIST 800-171 / NIST CSF / NIST 800-53
Implementing any of these federal frameworks generally satisfies 201 CMR 17, because the federal frameworks are more demanding and cover the same control domains.
SOC 2
The SOC 2 security trust service criteria overlap significantly with 201 CMR 17. A SOC 2 program generally addresses the technical and operational requirements of the Massachusetts regulation.
How Just In Time AI Helps
Just In Time AI, headquartered in Berkley, MA, helps businesses across the United States understand their security posture and build written programs that hold up to state and sector requirements including MA 201 CMR 17.
The starting point is the free security self-assessment at jitai.co/security-assessment. It is a self-attested posture indicator -- not an audit or certification, and not a substitute for legal review. You answer 18 questions across the same control domains a WISP must cover: written policy, access controls, data protection, backup and recovery, detection and response, and vendor management.
From there, a paid gap assessment maps your current state against the specific requirements of 201 CMR 17 and the relevant NIST controls. We work with frameworks including NIST 800-171, NIST 800-53, NIST CSF, SOC 2, ISO 27001, and state WISP requirements. Consult your legal counsel for determination of your specific legal obligations.
Key Takeaways
- ✓MA 201 CMR 17 applies to any business that handles personal information of Massachusetts residents -- regardless of size, industry, or location.
- ✓Personal information means a name combined with a Social Security number, driver's license number, or financial account number.
- ✓The cornerstone requirement is a Written Information Security Program (WISP) -- a written document, not informal practices.
- ✓Technical safeguards are mandatory: encryption on portable devices, secure authentication, and current security software.
- ✓Vendor agreements must obligate your vendors to maintain appropriate security for data they handle on your behalf.
- ✓Penalties can reach $5,000 per violation. The Massachusetts AG actively enforces the regulation.
- ✓Implementing NIST 800-171, NIST CSF, or SOC 2 generally satisfies 201 CMR 17, since those frameworks are more demanding.
Frequently Asked Questions
What is MA 201 CMR 17?+
Who does MA 201 CMR 17 apply to?+
What counts as personal information under 201 CMR 17?+
What is the most important requirement of 201 CMR 17?+
What are the penalties for violating MA 201 CMR 17?+
Does my business need to comply with 201 CMR 17 if it is not in Massachusetts?+
How does 201 CMR 17 relate to HIPAA?+
How do I know if my business is compliant with 201 CMR 17?+
Find Out Where Your Security Posture Stands
Not sure if your business meets 201 CMR 17 requirements? The Just In Time AI free security self-assessment walks you through 18 questions across the same domains a WISP must cover. You get an instant on-page posture view -- no sales call required.
This is a self-attested posture indicator, not an audit or certification, and not a substitute for legal review. Consult qualified legal counsel for determinations specific to your business.
Just In Time AI — jitai.co — Berkley, MA — serving businesses nationwide
