What Is 201 CMR 17.00

Content on WhatAnswers is provided "as is" for informational purposes. While we strive for accuracy, we make no guarantees. Content is AI-assisted and should not be used as professional advice.

Last updated: April 15, 2026

Quick Answer: 201 CMR 17.00 is a Massachusetts regulation requiring businesses to protect personal information of residents through comprehensive written information security programs. It took effect in March 2010 and applies to any entity that handles personal data of Massachusetts residents.

Key Facts

201 CMR 17.00 took effect in March 2010
Applies to all businesses handling MA residents' personal data
Requires a written information security program (WISP)
Mandates encryption of personal data on portable devices
Defines personal information as name plus SSN, driver's license, or financial account number

Overview

201 CMR 17.00 is a landmark data protection regulation enacted by the Commonwealth of Massachusetts. It establishes strict requirements for how organizations must handle, store, and protect personal information belonging to Massachusetts residents.

The regulation was one of the first state-level mandates in the U.S. to require comprehensive data security practices. It applies not only to businesses based in Massachusetts but to any organization that collects or processes personal data of state residents.

Effective date: The regulation officially took effect on March 1, 2010, following a phased implementation starting in 2009.
Scope: Applies to all persons or entities that own, license, store, or maintain personal information of Massachusetts residents.
Personal information: Defined as a resident’s first name and last name combined with one or more of the following: Social Security number, driver’s license number, or financial account number.
Written Information Security Program (WISP): Requires organizations to develop, implement, and maintain a comprehensive written security plan tailored to the size and complexity of the business.
Encryption mandate: Requires encryption of all personal information stored on portable electronic devices and transmitted over public networks.

How It Works

201 CMR 17.00 operates by imposing specific technical, administrative, and physical safeguards that organizations must follow to protect personal data. Compliance is enforced through periodic assessments, employee training, and documented security policies.

Risk Assessment: Organizations must conduct a formal risk analysis to identify potential threats to personal information and evaluate existing safeguards.
Employee Management: Requires businesses to train employees on proper data handling procedures and assign responsibility for the security program to a designated individual.
Access Controls: Mandates that access to personal information be limited to authorized personnel based on job necessity and role-based permissions.
Encryption Standards: Requires the use of industry-standard encryption (e.g., AES-256) for stored and transmitted personal data on portable devices and networks.
Third-Party Oversight: Businesses must ensure that service providers handling personal data also comply with 201 CMR 17.00 through contractual agreements.
Monitoring and Updates: Organizations must regularly monitor their security systems and update protections in response to emerging threats or changes in operations.

Comparison at a Glance

How 201 CMR 17.00 compares to other major data privacy regulations:

Regulation	Scope	Encryption Required	WISP Required	Enforcement Body
201 CMR 17.00	MA residents' data	Yes, on portable devices	Yes	Massachusetts Attorney General
GDPR	EU citizens' data	Recommended, not mandated	No	EU Data Protection Authorities
CCPA	California residents	No	No	California Privacy Protection Agency
NYDFS 23 NYCRR 500	Financial services in NY	Yes, in transit and at rest	No	New York Department of Financial Services
HIPAA Security Rule	Protected health info	Addressable, not mandatory	Yes (Security Management)	HHS OCR

This comparison highlights that 201 CMR 17.00 was ahead of its time by mandating encryption and a formal WISP. While newer laws like the CCPA focus on consumer rights, Massachusetts’ regulation emphasizes proactive data security, making it a model for other states considering similar rules.

Why It Matters

201 CMR 17.00 has had a significant impact on data security practices across industries, setting a precedent for state-level cybersecurity regulation in the U.S. Its requirements have influenced both corporate policy and subsequent legislation.

Precedent-setting: Was among the first U.S. regulations to require encryption and a formal security program, influencing later laws in other states.
Small business impact: Applies equally to small and large businesses, promoting consistent data protection standards regardless of company size.
Breach prevention: Strong safeguards have helped reduce the risk of data breaches involving Massachusetts residents.
Legal accountability: Non-compliance can lead to enforcement actions by the Massachusetts Attorney General, including fines and mandatory audits.
Third-party risk management: Forces companies to vet vendors and ensure their data handling meets the same security standards.
National influence: Elements of 201 CMR 17.00 have been adopted or mirrored in other state laws and industry best practices.

As cyber threats grow, 201 CMR 17.00 remains a critical benchmark for data security, demonstrating how proactive regulation can enhance consumer protection and organizational accountability.