Massachusetts Cybersecurity Requirements
Understanding 201 CMR 17.00 – one of the nation's strictest state-level data security regulations for protecting personal information.
Important Disclaimer
The information provided on this page is for general informational purposes only. State cybersecurity regulations are complex and subject to change. We recommend reaching out to our team to confirm you have covered all applicable requirements for Massachusetts operations.
Overview
Massachusetts is one of the most cited examples of a strict statewide cybersecurity rule: 201 CMR 17.00 – Standards for the Protection of Personal Information of Residents of the Commonwealth. These regulations establish minimum standards for any person or business that owns or licenses "personal information" about Massachusetts residents.
Who is Covered?
- Any person or entity engaged in commerce that owns or licenses personal information about a Massachusetts resident in connection with providing goods or services or employment
- This includes many financial institutions, lenders, mortgage companies, and service providers handling MA resident data
Core Cybersecurity Program Requirements
201 CMR 17.00 requires covered entities to implement and maintain a comprehensive written information security program (WISP) that is:
Customized and Risk-Based
- "Appropriate to the size, scope, and type of business"
- Takes into account the amount and sensitivity of personal information, the need for security, and the business's resources
Administrative Safeguards
- Designate one or more employees to maintain the security program
- Perform ongoing risk assessment of internal and external threats
- Develop policies for storage, access, and transportation of personal information
- Impose disciplinary measures for violations
- Oversee service providers and require contractual safeguards
- Review the WISP at least annually or when there is a material change in business practices
Technical Safeguards
- Secure user authentication (password policies, access controls)
- Unique IDs and access logging
- Encryption of personal information transmitted over public networks and, to the extent technically feasible, on portable devices and in certain storage contexts
- Up-to-date firewall protection and security patches
- Malware protection and system monitoring for unauthorized use
- Reasonable system security for wireless networks
Physical Safeguards
- Restrict physical access to records containing personal information
- Secure storage, destruction, and disposal practices
Breach and Enforcement
- 201 CMR 17.00 ties into Massachusetts' broader data breach law, which requires notification to affected residents and the Attorney General in the event of a security breach involving personal information
- Non-compliance can be treated as an unfair or deceptive practice under Massachusetts consumer protection law, potentially leading to enforcement actions