(508) 947-1478
Just In Time AI

Massachusetts Data Protection Law — jitai.co/security-assessment/ma-201-cmr-17

What Is MA 201 CMR 17 and Does Your Business Need to Comply?

MA 201 CMR 17 — formally titled “Standards for the Protection of Personal Information of Residents of the Commonwealth” — is a Massachusetts state regulation that requires any person or business that collects, stores, or handles personal information about Massachusetts residents to maintain a Written Information Security Program and implement specific security safeguards. There is no size exemption. A one-person firm with a single Massachusetts client faces the same requirements as a regional company.

Why This Matters

Massachusetts enacted one of the strictest data-protection regulations in the United States in 2010. Most businesses subject to it have never heard of it.

The regulation applies not just to Massachusetts-based companies but to any person or business, anywhere in the world, that handles personal information about Massachusetts residents. That means your firm is covered if it has Massachusetts customers, clients, patients, or employees — even if your office is in Rhode Island, California, or Texas.

Non-compliance is not a theoretical risk. The Massachusetts Attorney General actively enforces this regulation. Penalties reach $5,000 per violation. Breaches that occur without a documented security program create civil litigation exposure on top of regulatory penalties. And unlike many compliance frameworks, 201 CMR 17 has no size threshold — a one-person operation with a single Massachusetts client faces the same requirements as a regional firm.

This is educational content. Consult legal counsel for determinations specific to your business and situation.

Quick Answer

MA 201 CMR 17 requires any covered business to:

  1. 1Maintain a Written Information Security Program (WISP) -- a written document that describes the security program.
  2. 2Implement specific technical safeguards, including encryption of personal data on portable devices.
  3. 3Implement physical security controls over records and devices.
  4. 4Require vendors who handle personal data on your behalf to maintain their own appropriate security measures.

There is no size exemption. The regulation applies to businesses with one employee and businesses with thousands.

What the Regulation Covers

201 CMR 17 is designed to protect “personal information” of Massachusetts residents. The regulation defines personal information as:

A person’s first name or first initial AND last name, combined with ANY of:

  • Social Security number
  • Driver’s license number or state-issued ID number
  • Financial account number — meaning a bank account number, or a credit or debit card number, with or without any required security code, access code, PIN, or password

If your business holds records that match this combination for any Massachusetts resident, the regulation applies to you.

Note: publicly available information and data that is encrypted and inaccessible to unauthorized users fall outside the definition. Verify the specific boundaries with legal counsel.

Who It Applies To

The regulation applies to any person who “owns or licenses personal information about a resident of the Commonwealth.” The reach is broader than most businesses expect:

  • Retail and e-commerce businesses serving Massachusetts customers
  • Professional service firms -- law, accounting, financial advising -- with Massachusetts clients
  • Healthcare providers and dental practices with Massachusetts patients
  • Employers with Massachusetts employees
  • Landlords collecting tenant financial information
  • Nonprofits holding donor or client records
  • Technology companies and SaaS providers processing data about MA residents
  • Out-of-state businesses serving MA residents online

If you collect a first name plus a last name plus any of the three data categories above for a Massachusetts resident, you are covered — regardless of where your business is physically located.

The one notable carveout: businesses subject to and in compliance with federal regulations that provide equivalent protection (for example, certain financial services firms under Gramm-Leach-Bliley) may satisfy 201 CMR 17 through that federal framework. Consult legal counsel to evaluate whether a specific federal framework satisfies your 201 CMR 17 obligations.

What the Written Information Security Program Must Include

The regulation (17.03) specifies the elements your WISP must address. A written program that omits required elements is not compliant even if the underlying practices are sound — the written record must match and cover them all.

The following is an educational summary of the required elements. For the authoritative text, see the official 201 CMR 17.00 regulation on mass.gov (opens in a new tab). Consult legal counsel for determinations specific to your situation.

  1. 1

    Designated program owner

    Identify and name one or more employees responsible for maintaining the security program. The regulation requires accountability -- the program must have an owner.

  2. 2

    Risk assessment

    Document a process for identifying internal and external risks to the personal information you hold. The regulation requires ongoing assessment, not a one-time review.

  3. 3

    Employee training

    Train employees who handle personal information and keep records of who was trained, what was covered, and when. Undocumented training is treated as no training.

  4. 4

    Access controls

    Define who may access personal information and under what conditions. Implement secure authentication, enforce least-privilege access, and revoke access promptly when roles change or employees leave.

  5. 5

    Physical safeguards

    Secure the physical locations where personal information is stored or processed: locked storage, controlled access to server areas, and clean-desk practices for records containing personal data.

  6. 6

    Technical safeguards

    Encrypt personal information stored on portable devices and laptops. Encrypt personal information transmitted over public networks. Maintain up-to-date security software and current patches. Use secure authentication protocols.

  7. 7

    Service provider management

    When vendors handle personal information on your behalf -- payroll, IT support, cloud hosting, accounting -- contracts must require those vendors to maintain appropriate security measures.

  8. 8

    Incident response

    Define what you do when a breach occurs or is suspected: who investigates, who is notified, and in what timeframe. Massachusetts breach-notification law sets specific deadlines that the WISP should reference.

  9. 9

    Periodic review

    Review and update the program at least annually and whenever there is a material change in your business practices, technology, or the employees responsible for security. A stale program is treated as a gap.

How 201 CMR 17 Relates to Other Frameworks

Many businesses already operate under HIPAA, PCI DSS, NIST, or SOC 2. Here is how each intersects with 201 CMR 17. This is an educational summary -- consult legal counsel to determine whether a specific framework satisfies your 201 CMR 17 obligations.

HIPAA

Covers protected health information. HIPAA compliance does not automatically satisfy 201 CMR 17. You still need a WISP for personal information outside the HIPAA definition.

PCI DSS

Addresses payment card data. PCI compliance addresses a subset of what 201 CMR 17 requires. You still need a WISP and the other required elements.

NIST 800-171 / NIST CSF / NIST 800-53

Implementing any of these federal frameworks generally satisfies 201 CMR 17, because the federal frameworks are more demanding and cover the same control domains.

SOC 2

The SOC 2 security trust service criteria overlap significantly with 201 CMR 17. A SOC 2 program generally addresses the technical and operational requirements of the Massachusetts regulation.

How Just In Time AI Helps

Just In Time AI, headquartered in Berkley, MA, helps businesses across the United States understand their security posture and build written programs that hold up to state and sector requirements including MA 201 CMR 17.

The starting point is the free security self-assessment at jitai.co/security-assessment. It is a self-attested posture indicator -- not an audit or certification, and not a substitute for legal review. You answer 18 questions across the same control domains a WISP must cover: written policy, access controls, data protection, backup and recovery, detection and response, and vendor management.

From there, a paid gap assessment maps your current state against the specific requirements of 201 CMR 17 and the relevant NIST controls. We work with frameworks including NIST 800-171, NIST 800-53, NIST CSF, SOC 2, ISO 27001, and state WISP requirements. Consult your legal counsel for determination of your specific legal obligations.

Key Takeaways

  • MA 201 CMR 17 applies to any business that handles personal information of Massachusetts residents -- regardless of size, industry, or location.
  • Personal information means a name combined with a Social Security number, driver's license number, or financial account number.
  • The cornerstone requirement is a Written Information Security Program (WISP) -- a written document, not informal practices.
  • Technical safeguards are mandatory: encryption on portable devices, secure authentication, and current security software.
  • Vendor agreements must obligate your vendors to maintain appropriate security for data they handle on your behalf.
  • Penalties can reach $5,000 per violation. The Massachusetts AG actively enforces the regulation.
  • Implementing NIST 800-171, NIST CSF, or SOC 2 generally satisfies 201 CMR 17, since those frameworks are more demanding.

Frequently Asked Questions

What is MA 201 CMR 17?+
MA 201 CMR 17 is Massachusetts regulation titled Standards for the Protection of Personal Information of Residents of the Commonwealth. It requires any business that handles personal information of Massachusetts residents to implement a Written Information Security Program and specific security safeguards. The regulation has been in effect since March 1, 2010.
Who does MA 201 CMR 17 apply to?+
Any person or organization that owns, licenses, stores, maintains, or processes personal information about Massachusetts residents. This includes businesses located outside Massachusetts if they serve Massachusetts customers, employ Massachusetts residents, or otherwise hold their personal data. There is no exemption based on business size or number of employees.
What counts as personal information under 201 CMR 17?+
A person's first name or first initial plus last name, combined with any of: Social Security number, driver's license or state ID number, or financial account number (bank, credit, or debit card). The data elements must appear together -- name alone or account number alone is not personal information as defined in the regulation.
What is the most important requirement of 201 CMR 17?+
The Written Information Security Program (WISP). Without a written, documented security policy that covers the required elements, a business cannot demonstrate compliance -- even if its actual security practices are reasonable. The documentation requirement is absolute.
What are the penalties for violating MA 201 CMR 17?+
Penalties can reach $5,000 per violation. The Massachusetts Attorney General and the Office of Consumer Affairs and Business Regulation both have enforcement authority. Businesses that experience a breach without a documented security program also face civil litigation exposure from affected individuals. Consult legal counsel regarding your specific situation -- this content is educational, not legal advice.
Does my business need to comply with 201 CMR 17 if it is not in Massachusetts?+
Yes, if your business handles personal information of Massachusetts residents. The regulation applies to anyone who owns or licenses personal information about a resident of the Commonwealth, regardless of where the business is located. Physical presence in Massachusetts is not required.
How does 201 CMR 17 relate to HIPAA?+
HIPAA covers protected health information. 201 CMR 17 covers personal information as defined above. If your business is subject to HIPAA, you have overlapping but distinct obligations. Satisfying HIPAA does not automatically satisfy 201 CMR 17 -- you still need a WISP meeting the Massachusetts standard for personal information outside the HIPAA definition. Consult legal counsel for guidance specific to your situation.
How do I know if my business is compliant with 201 CMR 17?+
Start by confirming you have a written information security program that covers all required elements -- scope and ownership, risk assessment, access controls, training, vendor agreements, technical safeguards, and incident response. Then verify the document accurately reflects your current systems and practices. Our free self-assessment at jitai.co/security-assessment gives a self-attested posture view across these domains. A professional gap assessment against the regulation's specific requirements gives a structured evaluation with a remediation roadmap.

Find Out Where Your Security Posture Stands

Not sure if your business meets 201 CMR 17 requirements? The Just In Time AI free security self-assessment walks you through 18 questions across the same domains a WISP must cover. You get an instant on-page posture view -- no sales call required.

This is a self-attested posture indicator, not an audit or certification, and not a substitute for legal review. Consult qualified legal counsel for determinations specific to your business.

Just In Time AI — jitai.co — Berkley, MA — serving businesses nationwide