Mass 201 CMR 17.00: When State Compliance Kicks in, How Do You Respond?

David Ting

May 13, 2020

While many of us were down at HIMSS 2010, on March 1, 2010, Mass 201 CMR 17.00 officially went into effect:

17.05: Compliance Deadline

(1)Every person who owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.

We began talking about this Massachusetts data privacy regulation and what it means back in November 2008, and continued the discussion on this blog in September 2009 as the compliance deadline was pushed off numerous times throughout the course of 2009. Now, the day has finally come, and Mass 201 CMR 17.00 is officially here and active.

As you may know, Massachusetts is at the forefront with legislation that creates standards for protecting personal information in both paper and electronic format. A key purpose of the standards is to “protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer” and minimize overall security risk.

While we’ve examined the specific parameters in our previous blog posts on the topic, it’s important to recognize what companies must do now if they own or license information about a resident of the Commonwealth. A majority of the provisions in the Mass 201 CMR 17.00 standards center on securing access to data, so as such it’s crucial to:


• Map where personal information resides in your company
• Inventory which applications access and/or store personal information
• Understand what third-party service providers access this personal information
• Ensure only appropriate, authorized access to data by personnel by deploying appropriate user authentication technologies
• Assign unique identifications such as fingerprint biometrics plus strong passwords to fortify security and eliminate password sharing… then streamline log-on/off process by single sign-on enabling applications
• Monitor and report on access of personal information to ensure compliance
• Regularly educate and train users on appropriate system user and the importance of securing personal information

If you’ve accounted for the above, you’re well on your way toward compliance. If not, what are you going to do when the Commonwealth of Massachusetts comes knocking? Do you really want to find out?

--David