Basics of the New Massachusetts Data Privacy Regulation

August 20, 2010
Padlock Image

Last week I gave a lightning talk on this topic at Boston Ruby Group. There was nothing new in the technical part of my presentation; everyone in the audience was a professional developer and was already following good security practices.

However, I was impressed by the number of people who were not aware that now it's not only good practice; it's the law. And if you don't do it, you're subject to penalties.

I decided to write this short post with the highlights in order to help spread the word. You can get the full presentation from SlideShare. I also provide several links below to get more information and resources to help your small business become compliant.


The official name of the regulation is 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth


The regulation became effective March 1, 2010


Any individual, company, or organization, that stores personal information of residents of the Commonwealth of Massachusetts must comply

What is Personal Information?

Person's first name (or initial) and last name and anyone of these:

  • Social Security number
  • Driver’s license number
  • Account number: credit card, bank account, etc.

Administrative Requirements

The regulation requires one to maintain a comprehensive written information security program (WISP). This document must analyze the risks to security and describe how they'll be prevented. Some of its elements are:

  • Designate one person to be in charge of security
  • Security policies
  • Restrictions upon access to personal information
  • Keeping audit trails
  • Overseeing service providers

Technical Requirements

The most important are:

  • Firewalls, anti-virus, keeping software updated
  • User authentication: passwords or biometrics
  • Access control (permission is granted when needed only)
  • Encryption is mandatory for:
    • Email containing personal information
    • Wireless networks
    • VPN for remote access
    • Laptops and other portable devices

My Recommendations

The simplest way to comply with the regulations is not maintaining any personal information (PI) at all. However, this is rarely the case. If you own a business with 2 employees and keep their Social Security numbers, you must comply.

It's easy to use web-based services to do payroll, this way the PI won't be saved in your computer, but with your service provider. Keep paper records in a locked file cabinet inside a secure office. You still need the WISP though (see link to sample below).

If You Need Encryption

The encryption requirement is what has created more problems among small businesses, because they don't have the expertise to implement the technology.

The easiest way to comply is again: don't do it. If you need to send documents containing personal information to your customers, use fax, FedEx, even first class is compliant. And don't save personal information in your laptop, this way there's no need to encrypt it.

Encryption technology has been around for a long time and it's free if you use open source software, like GPG for email and TrueCrypt for encrypting laptops.

The problem with GPG is that it's complicated for non-technical users, especially the part that involves handling the cryptographic keys.

There are several products that provide easy to use solutions to send and receive secure messages with your customers. I like to recommend the one I developed: Solid Secure. There's no software to install. It's very easy to use because it works just like Gmail or Yahoo Mail. But as the owner of your business, you control who becomes a user.

Resources and Additional Information

Disclaimer: I am not a lawyer and this is not legal advice