MGL93h is in effect in Massachusetts. Now what?

Massachusetts Information Security regulation (CMR 17.0) went into effect March 1, 2010. It calls for ‘reasonable’ measures to be taken to keep personnel information safe. So what are those reasonable measures? Massachusetts Department of Consumer Affairs has provided some guidelines on what those measures are.


It all starts with a WISP!

Comprehensive Written Information Security Program (WISP) should be integral to your compliance program. Every company handling privacy information (A combination of Name and/or Address PLUS SSN, Bank A/c#s, State IDs or any such unique numbers) should have a WISP.

WISP need not be extensive it can be 3-4 pages. A sample WISP template can be found at

Soltrix Technology Solutions, Inc. is an approved statewide contractor in Commonwealth of Massachusetts (ITS43), Vermont and Maine. We are also a SOMWBA certified MWBE and DBE. In addition, we are SBA certified SDB and NMSDC certified minority owned business.

The following measures are to be taken at a minimum by all companies to ensure privacy information protection:

1. A designated employee to manage and maintain Information Security Program.

2. Training for employees for proper handling of confidentiality, security and integrity of personal information – either recorded electronically or on paper.

 3. A written policy that states how employees are allowed to keep, access and transport records containing personal information either within or off premises. Policy should be read and signed off by each employee. A sample of the policy should be part of WISP.

4. Same policy to include disciplinary measures for violations.

5. Same policy should state measure taken to prevent terminated employees from accessing records containing personal information.

6. Third-party vendors should certify that they have a WISP and a security program in place to prevent any personal information data that you would need to share, with them for business purposes. Such certificates should be made a part of vendor-agreements.

 7. Limited, restricted and controlled physical access to locations containing personal information (ex. locked cabinets, limited access to server rooms etc)

8. A standardized methodology to identify records and devices used to store personal information. If possible segregate devices containing personal and non-personal information.

9. Written approval from manager before employees gain physical access to personal information. Keep records of who has access to what information.

10. Regularly monitor and review all aspects of Comprehensive Security Program.

11. Annual review of the effectiveness of Information Security Program.

12. Document actions taken in response to a breach of security.

Apart from these twelve (12) administrative steps, the following eight (8) IT related steps are recommended by the Office of Consumer Affairs:

13. Secure user authentication protocols.

14. Secure access control measures.

15. All records transmitted are to be encrypted

16. Monitoring of the network traffic and servers containing personal information.

17. All laptops and storage devices must have their data encrypted.

18. All systems must be firewalled and have up-to-date operating system patches as per industry standards.

19. Activated and up-to-date anti-virus and anti-spam applications.

20. Employees should be trained to recognize potential security lapses and a clear procedure on how to escalate the lapse to appropriate personnel.

 These twenty (20) steps are deemed reasonable according to Department of Consumer Affairs, the regulatory body in charge of CMR 17.0 compliance.

In case of a breach of privacy information. As a company, you are responsible for:
1. Notifying the Attorney General’s office about the breach.

2. Notifying each of Massachusetts resident about the nature of the breach.


Disclaimer: Soltrix will not be responsible for any non compliance due to this article. Our intention is to only providing general framework on measures to be taken. We recommend you get specialists to validate the measures you take. Soltrix is an ITS43 approved statewide contractor and SOMWBA certified MWBE and DBE

Leave a Reply

You must be logged in to post a comment.