Overview | Checklist | Regulation | Downloads | Request a Consultation

201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH

Section: 17.01: Purpose and Scope 17.02: Definitions 17.03: Duty to Protect and Standards for Protecting Personal Information 17.04: Computer System Security Requirements

17.01 Purpose and Scope

(1) Purpose This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. Further purposes are to (i) ensure the security and confidentiality of such information in a manner consistent with industry standards, (ii) protect against anticipated threats or hazards to the security or integrity of such information, and (iii) protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud against such residents.

(2) Scope The provisions of this regulation apply to all persons that own, license, store or maintain personal information about a resident of the Commonwealth.

17.02: Definitions

The following words as used herein shall, unless the context requires otherwise, have the following meanings:

Breach of security, the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency,or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.

Electronic, relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities.

Encrypted, the transformation of data through the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key, unless further defined by regulation by the Office of Consumer Affairs and Business Regulation.

Person, a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.

Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:

  • (a) Social Security number;
  • (b) Driver's license number or state-issued identification card number; or
  • (c) Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available in
    •  

    BDG also provides business intelligence

    We work with our clients to help them gain a significant competitive advantage by providing enhanced Business Intelligence. Although solutions may vary, fundamentally, Boston Data Group helps clients recognize measurable achievement through successful solutions:
     

     
    Learn More Set up a consulatation
     

    In the News

    • Identity Fraud Among Dominican Players Worries Baseball Officials

      Sunday, January 29, 2012
      nytimes.com
      The arrest of the Dominican baseball player who used the name Fausto Carmona on Jan. 19 has brought to light the problem of identity fraud among players from the Caribbean nation.

    • Carmona Is Accused of Using False Identity

      Friday, January 20, 2012
      nytimes.com
      Cleveland Indians pitcher Fausto Carmona has been arrested on suspicion of using a false identity in the Dominican Republic, where officials are contesting his real name and birth date.

    • 50 Charged With Selling Identities of Puerto Ricans to Illegal Immigrants

      Thursday, January 12, 2012
      nytimes.com
      Fifty people have been accused of conspiring to sell the identities of hundreds of Puerto Ricans to illegal immigrants on the American mainland.

     
    More Items
     

    Publications

    CIM Construction journal article:"New Massachusetts Security Law Requirements 201 CMR 17.00"

     
    Read More
     
    Feb, 12

    Calendar of Events

     
     

    Event Description

     
    Today is February 06, 2012