Massachusetts’ MA 201 CMR 17.00

Massachusetts' MA 201 CMR 17.00 data protection regulations go into effect on Monday, March 1, and that is a huge step forward for the protection of personal information.

Breach disclosure laws are old news, but 201 CMR 17.00 is different, it prescribes data protection specifics, and it is not limited to those in Massachusetts: “201 CMR 17.01 (2) Scope The provisions of this regulation apply to all persons that own or license personal information about a resident of the Commonwealth.” Yes, all persons (which includes companies and organizations), regardless of where they are located, are covered if they: “Owns or licenses, receives stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.”

This is a big deal, for two key reasons. First, it is leading the way in state regulation of the protection of data. There have been other regulations covering protection of data, but I believe this is ground breaking and will be followed by other states. Second, it has a very broad reach, it is not industry-specific, and it applies to a large number of organizations which have never had regulatory requirements on their IT system before.

Specifically, it applies to: “Person, a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.” There is an exclusion for Massachusetts government, but they are covered under Executive Order 504, which mandates similar protection of data for them. This regulation can put a significant burden on businesses which do business with Mass residents, and I believe that small businesses face the biggest challenges. (The burden is to do what they should already be doing, but are not; that doesn't mean it will be easy).

Small businesses are the least likely to have dealt with regulation before (except in specific regulated fields), and they are the least likely to have the knowledgeable personnel and financial resources required to comply. Those organizations in the 40-200 user size are probably going to have the hardest time (as they often do), they're too big for doing everything manually, and not big enough to justify the enterprise tools to help manage some of the tasks at hand. You can find a PDF of the regulations at:


You Can Learn More About the Astaro Internet Security Product Line By Going to

The original article/video can be found at Massachusetts’ MA 201 CMR 17.00

Leave a Reply