Massachusetts Data Security Regulation (201 CMR 17.00)

Summary

Massachusetts mandates some of the strictest cybersecurity standards in the US for any business that owns or licenses the personal information of a Massachusetts resident.

Rights & Rules

01.
If a business has your name combined with your Social Security Number, driver's license, or credit card number, they MUST have a 'Comprehensive Information Security Program' (WISP) in writing.
02.
The business is legally required to encrypt all personal information that travels across public networks (like the internet) or is stored on portable devices (like laptops or flash drives).
03.
If the business gives your data to a third-party vendor (like a cloud storage provider), the business must legally ensure that the vendor also meets Massachusetts' strict security standards.

Penalties

01.
If a company is breached and they failed to follow these specific security regulations, the Massachusetts Attorney General can sue them for civil penalties of $5,000 per violation, plus consumer damages.

Verified Citations

Code of Massachusetts Regulations 201 CMR 17.00

Source

"Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts..."