Massachusetts/MA 201 CMR 17 Privacy Laws

Beginning in March 2010, every business that carries personal information about a Massachusetts resident is required to adhere to the requirements listed in 201 CMR 17. For many organizations, navigating these new standards and ensuring compliance is quite challenging. Newer regulations require companies to:

  • Identify who can access information

  • Complete training for individuals responsible for the ongoing management

  • Establish a comprehensive security program with a set of written policies

  • Determine if a gap exists through interview, observation and policy review as well as establish remediation recourse

Beyond regulatory compliance, organizations that identify the strengths and weaknesses of their information security management systems protect their business from an increasing number of threats while protecting their reputation and brand. Using our assessment methodology, Security Management Partners can help your organization navigate new Massachusetts data protection law 201 CMR 17 to prevent security breaches and identify theft.

Security Management Partners provides support in policy creation and risk assessments, while system, firewall and network testing helps your organization reduce the risk of financial and legal ramifications from violating 201 CMR 17 requirements and strengthens your overall information security. In addition, SMP provides remediation recommendations that help organizations better manage their security initiatives and remain in compliance with today's evolving compliance rules.


  • Analyze data flow

  • Assess risk of personally identifiable information

  • Analyze inventory of personally identifiable information

  • Verify current information security management system

  • Assess existing policies and policy enforcement

  • Assess employee training

  • Assess and verify access to personal information

  • Assess hardware, software, antivirus and firewall management

  • Assess secure access controls

  • Assess annual audit plan for ongoing monitoring and review

  • Assessment of encryption of all mobile personally identifiable information files, folders and removable storage

  • Assess disaster recovery and business continuity plans

  • Review vendors to ensure third-party compliance

  • Assess physical access to records controls

  • Remediate recourse to address any gaps

MA 201 CMR 17 Consulting in Action

Read about how SMP guided Genzyme Corporation's compliance efforts with Massachusetts Regulation 201 CMR 17.