Massachusetts 201 CMR 17: The Strictest US State Data Security Rule

Why Massachusetts 201 CMR 17 Is Different from Other State Data Laws

Most state data security laws (the SHIELD Act, GLBA, state breach notification laws) require "reasonable" safeguards and leave organizations to define what reasonable means. Massachusetts 201 CMR 17, by contrast, prescribes specific technical and administrative controls. It is widely considered the strictest state-level data security regulation in the United States.

The regulation, formally titled "Standards for the Protection of Personal Information of Residents of the Commonwealth," took effect in 2010 and applies to every person or organization that owns, licenses, stores, or maintains personal information about a Massachusetts resident. As with the SHIELD Act, applicability is broad: there is no minimum size threshold, no industry restriction, and no Massachusetts presence requirement. An organization in any state holding personal information of even one Massachusetts resident is in scope.

The defining feature of 201 CMR 17 is the Written Information Security Program (WISP) requirement combined with explicit technical controls. The WISP is a comprehensive program document; the technical controls are specific configurations the regulation names directly.

Scope and Personal Information Definition

"Personal information" under 201 CMR 17 means a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of:

Social Security number

Driver's license number or state-issued identification card number

Financial account number, credit card number, or debit card number

The definition is narrower than the SHIELD Act in some respects (it excludes biometric data and online credentials) but the controls required are substantially more prescriptive.

The Written Information Security Program (WISP)

201 CMR 17.03 requires a comprehensive WISP that contains administrative, technical, and physical safeguards. The WISP must:

1. Designate one or more employees to maintain the comprehensive information security program

2. Identify and assess reasonably foreseeable internal and external risks

3. Develop security policies for employees relating to the storage, access, and transportation of records containing personal information outside business premises

4. Impose disciplinary measures for violations

5. Prevent terminated employees from accessing records

6. Oversee service providers, including selection, contractual commitments, and verification

7. Restrict physical access to records

8. Conduct regular monitoring of the WISP and adjust as needed

9. Document responsive actions taken in connection with security incidents

10. Review the scope of security measures at least annually

11. Update the WISP whenever there is a material change in business practices that may reasonably implicate the security or integrity of records

The WISP is a living document. It must be specific to the organization and updated as conditions change. A template WISP that does not reflect the organization's actual environment is a finding waiting to happen.

The Specific Technical Controls

201 CMR 17.04 enumerates technical controls the WISP must address. Unlike the SHIELD Act, the regulation names specific controls:

Secure user authentication protocols, including:

Control of user IDs and other identifiers

Reasonably secure method of assigning and selecting passwords (or use of unique identifier technologies like biometrics or token devices)

Control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data

Restricting access to active users and active user accounts only

Blocking access to user identification after multiple unsuccessful attempts

Secure access control measures, including:

Restricting access to records and files containing personal information to those who need such information to perform their job duties

Assigning unique identifications plus passwords, which are not vendor-supplied default passwords, to each person with computer access

Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly

Encryption of personal information stored on laptops or other portable devices

Reasonable monitoring of systems for unauthorized use of or access to personal information

Reasonably up-to-date firewall protection and operating system security patches

Reasonably up-to-date versions of system security agent software including malware protection

Education and training of employees on the proper use of the computer security system and the importance of personal information security

The encryption requirement is unusually specific. Encryption of personal information on portable devices and during public network transmission is not optional and not waivable based on a risk assessment.

The Service Provider Oversight Requirement

201 CMR 17.03(2)(f) imposes service provider oversight obligations. A covered entity must:

Take reasonable steps to select and retain service providers that are capable of maintaining appropriate security measures

Require by contract that service providers maintain such appropriate security measures

For service providers that came under contract after March 1, 2012, the contractual security commitment must be explicit and in writing. Pre-existing contracts had a grace period that has long since passed; current expectations are that all in-scope service provider contracts include explicit security requirements.

The service provider obligation cascades. A primary service provider is responsible for its own subcontractors. Cloud providers, payment processors, payroll services, and other downstream vendors with access to personal information are all in scope.

Common 201 CMR 17 Implementation Gaps

Across regulatory enforcement actions and observed compliance issues, recurring gaps:

WISP that does not reflect the organization. A template WISP downloaded from an industry source, lightly customized, and never updated. Auditors and the Attorney General's office can identify these quickly during investigation.

Encryption gaps on portable devices. Laptops without full-disk encryption. USB drives used without encryption requirements. Mobile devices accessing personal information without enforced device encryption.

Default vendor passwords. Network appliances, IoT devices, and embedded systems running with manufacturer default credentials. The regulation explicitly prohibits this.

Inadequate access controls. Personal information accessible to employees who have no business need. Departed employees retaining system access beyond the termination date.

Service provider contracts without security clauses. Contracts with cloud providers, SaaS vendors, and outsourced services that lack explicit security commitments.

Security awareness training gaps. Training delivered once and never refreshed. New employees without training. Documentation of training that is incomplete.

Patch management failures. Operating systems running unpatched for months or years. The regulation requires "reasonably up-to-date" patches, and long-unpatched systems are clearly out of scope.

Enforcement and Penalties

The Massachusetts Attorney General enforces 201 CMR 17 alongside the related Massachusetts data breach notification law (M.G.L. c. 93H). Penalties include:

Civil penalties up to $5,000 per violation

Additional penalties under M.G.L. c. 93H for breach notification failures

Restitution to affected individuals

Equitable relief, including ongoing program oversight

Enforcement has been active. Several high-profile settlements have established that the AG's office expects substantial program maturity, not minimal compliance. Settlements have included mandated multi-year monitoring, specific control implementations, and financial penalties in the hundreds of thousands to millions.

How to Build a Defensible WISP

A WISP that withstands scrutiny shares recognizable characteristics:

Organization-specific. The WISP describes the actual organization, its systems, its data flows, its personnel. Generic language is replaced with specific references.

Risk-grounded. The WISP describes the risks identified through risk assessment and the controls selected to address each risk. Risks the organization did not address are explained, with the reasoning documented.

Operationally connected. The WISP references specific operational procedures (incident response playbooks, access review processes, vendor management workflows). It is not a free-standing document but the index into the organization's actual operations.

Currently maintained. The WISP has a documented review history. Material changes in the business (new systems, new vendors, organizational restructuring) result in WISP updates within a reasonable timeframe.

Approved at the executive level. The WISP has named ownership and named approval. Audit trails show the WISP has been reviewed by the responsible individuals at the documented cadence.

How Continuous Compliance Supports 201 CMR 17

The specific technical controls 201 CMR 17 names are exactly the controls that CIS benchmark scanning evaluates automatically. The mapping is direct:

Secure user authentication protocols → CIS controls on password complexity, account lockout, MFA

Secure access control measures → CIS controls on account management, privilege restriction, RBAC

Encryption of data in transit → CIS controls on TLS configuration, deprecated protocol disable

Encryption of data at rest → CIS controls on BitLocker, LUKS, cloud disk encryption

Reasonable monitoring → CIS controls on audit policy, logging configuration

Up-to-date firewall protection → CIS controls on Windows Firewall, iptables, Security Groups

Up-to-date OS patches → vulnerability scan results mapped to remediation tracking

Up-to-date security agent software → CIS controls on endpoint protection configuration

A continuous CIS benchmark scanning program produces day-by-day, host-by-host evidence that the specific controls 201 CMR 17 mandates are enforced. This evidence is the documentary record an Attorney General investigation or audit would request.

How CISGuard Supports 201 CMR 17 Programs

CISGuard's continuous CIS benchmark scanning produces direct evidence for the technical controls 201 CMR 17 requires:

22 CIS benchmarks covering the platforms most Massachusetts resident data lives on

Authentication, access control, encryption, and patching evaluation in every scan

Continuous drift detection demonstrating that technical safeguards remain enforced

Per-asset reporting suitable for inclusion in WISP-supporting documentation

Immutable audit trail of every scan and remediation, dated and queryable

Multi-framework mapping showing simultaneous coverage of 201 CMR 17, SHIELD Act, HIPAA, and other applicable frameworks

See 201 CMR 17-aligned features in CISGuard or request a 201 CMR 17 readiness review.