Massachusetts 201 CMR 17.00

Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts

MA 201 CMR 17.00 establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records by all persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain, and monitor a comprehensive, written information security program applicable to any records containing such personal information.
These regulations was originally supposed to take effect on May 1, 2009, but was changed to January 1, 2010.

Does This Affect My Business?

201 CRM 17.00 affects any company possessing the personal information of a Massachusetts resident including customers, employees or otherwise. The Standards define “personal information” as a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code.

Businesses that are located outside of the Commonwealth of Massachusetts are still subject to complying with this regulation if the business handles Massachusetts residents’ personal information. Examples of this include, but are not limited to:
Retailers processing credit card or bank account numbers of Massachusetts residents;
Companies processing mortgage or loan applications for Massachusetts residents; and
Companies maintaining payroll information of remote staff residing in Massachusetts.
Compliance under the Standards is required on or before January 1, 2010.

What Are the Primary Requirements of the Regulation?

This regulation mandates that businesses holding Massachusetts residents’ personal information:

Develop, implement, and maintain a comprehensive written security program for personal information; security programs must be properly staffed and have training and monitoring in place to ensure employee compliance;
Inventory and identify all records to determine which contain personal information or handle all records as if they contain personal information;

Encrypt personal information stored on portable devices carrying personal information including laptops, PDAs and flash drives or transmitted wirelessly or on public networks; and
take reasonable steps to verify that any third-party service provider with access to personal information has safeguards in place that meet or exceed the Standards.

By purging outdated material and storing your active and/or inactive files with NORTHEAST RECORD RETENTION, we will assist your company in maintaining a document shredding program and/or records management program that meets or exceeds the Massachusetts 201CMR 17 regulations.

NORTHEAST RECORD RETENTION uses state-of-the-art technology and highly trained and certified security professionals. We efficiently shred all documents either on your premises or at our state-of-the-art records center. We give you the option to watch the shredding process, and also provide you with a Certificate of Destruction that records each shred.

With our document management and records storage program, you will quickly and accurately gain access to your documents. We use the O’Neil Software Inventory system with barcodes that will track all activity, help determine which files to maintain, how long to do so, and how to legally dispose of them when the records are no longer needed.

Trust NORTHEAST RECORD RETENTION as your partner in compliance with Massachusetts 201 CMR 17.00 for maintaining your document security program.

For more information on the Massachusetts 201 CMR 17.00, visit:




< Back to Compliances

DISCLAIMER: This is only a brief summary of the law. Please consult a legal professional for more information on how the specifics of this law may apply to your business.

© Northeast Record Retention.
New England's leading provider of record storage and data shredding services.

Ph: 1-877-603-3100
Fax: 1-603-792-8693