The future of IT security compliance: 201 CMR 17.00

Why should you be concerned about a security rule that is part of the State law of Massachusetts -- especially if you aren't in business there? Donovan Colbert explains how compliance regulations have far-reaching effects in IT.

I spent the last week researching and writing a policy for compliance with statute 201 CMR 17.00 of the Massachusetts General Law. I'm pretty happy with the results, but I'm concerned about the direction this law shows IT regulation and compliance headed, and I think it foreshadows a troubling future for businesses and IT professionals.

At its heart, 201 CMR 17.00 is an attempt to regulate the practices of businesses, with a focus on information technology security, in order to protect consumers and individuals from the threat of identity theft or financial exploitation. Because it is a State level regulation and it covers much of the same ground already handled by other similar programs such as HIPAA and PCI compliance, many businesses are either unaware of 201 CMR 17.00 or think they already have measures in place that meet or exceed anything that a State regulation could require. Additionally, many businesses think that because they're not in the state of Massachusetts, they're not subject to the regulations enacted there.

Unfortunately, all of those assumptions are incorrect:

Compliance with HIPAA, PCI, Red Flag, or other similar info security policies and regulations does not meet the requirements for 201 CMR 17.00.

It does not matter where your business is located, if you collect information from customers or residents of the state of Massachusetts, you are subject to the requirements described in the regulation.

The good news is that if you are already compliant with one of the other regulations, you're probably a good part of the way toward being compliant with this regulation. In fact, most security rules designed to protect personal information are stricter than 201 CMR 17.00.

The bad news is that until you create a Written Information Security Plan (WISP) that addresses each criteria of 201 CMR 17.00, you're not compliant even if you're already practicing equal or superior security practices to those required under the Massachusetts statute.

You may think, "So what! If I am compliant with stricter rules, I'll never have to deal with a breach that would expose me to liability in Massachusetts." The truth is that even with well implemented HIPAA policies and practices, ePHI breaches still frequently occur in the healthcare industry. In that example, if your organization had a ePHI breach and your HIPAA policy was well defined and practiced, you would probably face minimal repercussions from the Department of Health and Human Services. If that ePHI breach also contained patient "Personal Information" as defined under 201 CMR 17.00 and you had no WISP defined though, you could still face prosecution and heavy fines in the state of Massachusetts despite your HIPAA policy.

If you're in Massachusetts you probably already know about this statute and have taken steps to implement it in your organization. For any other business that deals with residents from Massachusetts and stores certain combinations of their personal information in any form, knowing about 201 CMR 17.00 and having a written policy described is essential.

Some key points of 201 CMR 17.00

  • You must have a unique WISP on file, even if you meet other compliance standards.
  • Some provisions of 201 CMR 17.00 are flexible based on your scope, resources, and risk assessment. Others are not. This can be confusing to sort out.
  • You must meaningfully practice the provisions detailed in your WISP, including audits and improvements if warranted.
  • All companies gathering data from residents in Massachusetts are subject to this statute regardless of their physical location.
  • Audits by the Commonwealth are rare - but a breach affecting Massachusetts residents is likely to cause a response.
  • If you believe you store data that qualifies as "Personal Information" under 201 CMR 17.00, seek qualified advice to evaluate what your response should be.

The current state of affairs is like the situation which led to the federal Interstate Commerce Act of 1887. In that case, various States passed their own laws in response to concern of abuses by the railroad industry in setting rates for long and short haul transport of goods. In protecting the businesses that depended on the railroads for transportation, a confusing patchwork of regulation that varied greatly from state to state arose, causing chaos for all parties involved. The railroads, businesses and consumers had to cope with different laws that changed at each State line. Being unaware of the different laws meant that a business transporting goods across multiple states might ship through a state where laws were more lenient toward the railroads, resulting in unforeseen shipping rates. The railroads in turn had to manage and be aware of the different laws in each state, causing pricing, accounting and compliance nightmares for their industry. Finally, the Federal government stepped in and passed unifying laws.

Working with 201 CMR 17.00 shortly after leaving a HIPAA-covered industry made me realize that there are a number of state regulations like this out there, and the number grows every day. I think most IT shops are not familiar with these different regulations, and that even among the best organizations, many are hoping that compliance to one of the tougher standards is sure to cover them in any case where they run afoul of a State statute. This is a potentially expensive assumption to make that could result in hundreds of thousands of dollars of fines and in some cases, criminal penalties.

Clearly it isn't practical for most small businesses to discover all regulations that apply to them and create individual policies to ensure they are compliant. Most businesses will simply operate without a safety net until some situation forces them to respond. Generally that situation will be an important customer insisting on compliance in a contract, or a reactive response to a breach and resulting legal action. Eventually, the burden of dealing with all of these individual attempts to ensure protection of customer information must be consolidated or it creates an unrealistic burden for the industry.

In the meantime, if you're already compliant with any other data security rule, you do interstate business, and there is any chance you may have customers from Massachusetts now or in the future, it is a good idea to familiarize yourself with this rule and spend the time to quickly create a WISP so you are prepared for the worst case scenario.


Donovan Colbert has over 16 years of experience in the IT Industry. He's worked in help-desk, enterprise software support, systems administration and engineering, IT management, and is a regular contributor for TechRepublic. Currently, his profession...


It is also worth noting, that the WISP, although more defined in some ways than HIPAA, is a great way to introduce yourself to the general security policies and how to research and craft a written security policy for other industries, like HIPAA. It is a very concise law, overall - and that makes it easier to get your mind around than something like HIPAA. For example, it still has the same kind of Two Rule outline (A Privacy rule and Security rule) - but in a much simpler format.


in regards to the statement about the WIPS - to clarify, does this mean a separate document covering each MA requirement, or can it be a component of the overall Info Sec Policy document with general coverage of the documents?


We work in the Aftermarket Auto Parts industry. This requires us to work with many customers and businesses who do or do not operate within the Commonwealth of Massachusett, some large automotive industries and some smaller support businesses for this industry. They either have taken the position of NOT taking the steps needed to comply with our requirements and finding a work around to get the information they need or complying with our requirements. Unfortunately, the first situaton is the majority one taken. So what is it going to take for these corporations to realize we are doing this for everyone's benefit not just because we are trying to make their jobs harder?


I'd recommend talking to legal counsel. I don't feel fully qualified to answer that question. If you want to be sure you've covered your bases, though - just draw up a stand alone WISP. I think that the considerations on scope, resources and risk assessment will have a significant impact on which course is best for you. If you had a WISP that followed the outline of 201 CMR 17.00 but references other documents or parts of your security policy in a clear and unmistakable way and gave an overview of the referenced policy, claimed that this policy meets the requirements for compliance with CMR 17.00, and referred to the general policy for more clarification - I imagine that would be OK, *provided* that the general policy was enforced and actually met the minimum reasonable requirements for CMR 17.00 compliance. But you still need the WISP outline, and you need to define the individuals, teams and other WISP specific requirements. It seems like it would be less actual work, even if somewhat redundant, to just create a stand-alone WISP document. There are templates online - and in fact, the format of the 201 CMR 17.00 regulation *is* a template for creating a WISP. 201 CMR 17.01 describes the purpose of the regulation. On your WISP, address this by describing the purpose of your WISP. 201 CMR 17.02 describes the expectations of scope, resources and risk assessment, In your WISP, analyze your scope, resources and do a risk assessment. etc... When you're done, you've got a WISP. Run it by your legal resources, make sure they approve it, and start practicing anything you're not already doing that is defined in the WISP.

What if every Country/State/County/City/Territory had slightly different requirements? How are companies supposed to comply with thousands of different local regulations? What happens if some of them conflict (cuz that's never happened before)? I'm all for protecting people, but this could get crazy. It would get to a point where it would be cheaper to insure against loss then comply with every possible regulation. Bill

Editor's Picks