Massachusetts protection of personal information

Massachusetts 201 CMR 17 requires that every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical

safeguards that are appropriate to (a) the size, scope, and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person;

(c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver’s license numbers. The rules for this policy are:

  • Massachusetts Protection of Personal Information: Name and SSN
  • Massachusetts Protection of Personal Information: Name and SSN (Wide)
  • Massachusetts Protection of Personal Information: Name and DL
  • Massachusetts Protection of Personal Information: Name and DL (Wide)
  • Massachusetts Protection of Personal Information: Name and CCN
  • Massachusetts Protection of Personal Information: Name and CCN (Wide)
  • Massachusetts Protection of Personal Information: Name and ID
  • Massachusetts Protection of Personal Information: Name and Password (Wide)
  • Massachusetts Protection of Personal Information: Name and Password (Default)
  • Massachusetts Protection of Personal Information: Name and Password (Narrow)
  • Massachusetts Protection of Personal Information: Name with Account and Password
  • Massachusetts Protection of Personal Information: Account and Password
  • Massachusetts Protection of Personal Information: Password Dissemination for HTTP Traffic (Wide)
  • Massachusetts Protection of Personal Information: Password Dissemination for HTTP Traffic (Default)
  • Massachusetts Protection of Personal Information: Password Dissemination for HTTP Traffic (Narrow)