Thousands of security policies delivered to satisfied customers.

"Get Massachusetts 201 information security policies within minutes, guaranteed."

What is Massachusetts 201 CMR 17.00, exactly?

Massachusetts’ 201 CMR 17.00 is one of the newest and strictest data protection laws in the country.

In essence, it requires companies to develop a comprehensive written information security program (WISP) to protect the use or storage of personal data of clients or employees who are Massachusetts residents.  While commendable, it places a significant burden on companies to implement a multitude of Massachusetts information security policies and procedures to be in compliance.

Failure to meet these requirements may result in fines, civil penalties, and loss of client confidence.   Save yourself the trouble of spending tedious hours or expensive consulting fees to draft a Massachusetts 201 CMR 17.00 compliant policy - simply purchase our Gold Security Package and be on your way within minutes! Our Mass 201 Policy is:

  • Specifically tailored to meet the demands of 201 CMR 17.00
  • Ready to be customized to the specific needs of your company & industry
  • Available within minutes
  • Innexpensive compared to the cost of doing it yourself or hiring a consultant
  • 100% satisfaction guarantee or full refund provided

What are the Mass 201 CMR 17.00 requirements?

Concerned 201 CMR 17.00 requirements are lengthy and complex? Simplify your policy development process using our Policy Wizard.  Our Mass 201 Policy Wizard walks you through a brief series of questions to help create the best policies for your company.

In general, 201 CMR 17.00 requires your company to:

  • Encrypt all files containing personal data stored on laptops and portable devices
  • Encrypt all files containing personal data transmitted wirelessly or over public networks
  • Ensure up-to-date firewall protection for operating systems
  • Establish secure authentication protocols for all users
  • Regularly update malware protection
  • Provide regular, ongoing employee training for monitoring compliance
However, this is just an overview.  Using our Policy Wizard, you can quickly develop your own policy to meet all of requirements in detail.  Or, if you prefer, sign up for a Free Trial Account and develop your own free custom sample security policy now!

How do I meet specific requirements?

It couldn’t be easier - we have mapped out each 201 CMR 17.00 requirement and show you the specific component of our Massachusetts information security policy that covers it.  Each specific area in question is paired with a policy section that addresses it in full.

Here is one example:

17.03: Duty to Protect and Standards for Protecting Personal Information
(2) Every comprehensive information security program shall include, but not be limited to:

(2) a. Designating one or more employees to maintain a comprehensive information security program.
    Covered by Network Security Policy, section 4.18.1 Security Program Manager.

(2)b. Identifying risks to the security, confidentiality, and/or integrity of records containing personal information, and improving current safeguards where necessary, including 1) ongoing employee/contractor training, 2) employee compliance with policies, and 3) means for detecting and preventing security system failures.
    Covered by Incident Response Policy, sections 4.7.1 Risk Assessment and section 4.7.2 Risk Management Program.
    Covered by multiple sections of the Network Security Policy.

(2)c. Developing policies relating to the storage, access, and transportation of personal information outside of business premises.
    Covered by Confidential Data Policy, section 4.2 Use of Confidential Data, and section 4.3 Security Controls for Confidential Data.
    Covered by Mobile Device Policy, section 4.2 Data Security

(2)d. Imposing disciplinary measures for violations of the security policy.
    This requirement is best handled by your company's Human Resources department, however, from a policy perspective, security violations are discussed in the Enforcement section of each policy.

(2)e. Preventing terminated employees from accessing records containing personal information.
    Covered by Network Access and Authentication Policy, section 4.3 Account Termination.

(2)f. Oversee service providers by 1) selecting and retaining service providers capable of securing personal information and 2) requiring service providers by contract to implement and maintain appropriate security measures for personal information.
    Covered by Outsourcing Policy, section 4.5 Outsourcing Contracts.
    Covered by Third Party Connection Policy, section 4.2 Security of Third Party Access and 4.3 Restricting Third Party Access.

(2)g. Placing restrictions on physical access to records containing personal information and securely storing of this information
    Covered by multiple sections of the Physical Security Policy.
    Covered by Confidential Data Policy, section 4.1.1 Storage of Confidential Data, and 4.3 Security Controls for Confidential Data.
    Covered by Backup Policy, section 4.5 Backup Storage.

(2)h. Regular monitoring to ensure the security program is operating in the intended manner and upgrading safeguards where necessary.
    Covered by Network Security Policy, section 4.7 Security Testing and 4.18.3 Security Policy Review.
    Covered by Incident Response Policy, sections 4.7.1 Risk Assessment and section 4.7.2 Risk Management Program.

(2)i. Reviewing security measures at least annually or whenever it is reasonably necessitated by a change in business practices.
    Covered by Network Security Policy, section 4.18.3 Security Policy Review.
    Covered by Network Security Policy, section 4.7 Security Testing.
    Covered by Incident Response Policy, sections 4.7.1 Risk Assessment and section 4.7.2 Risk Management Program.

(2)j. Documenting actions taken in response to any incident involving a breach of security, and a post-incident review of events and actions taken.
    Covered by Incident Response Policy, sections 4.4 Electronic Incidents and 4.5 Physical Incidents.

Click here to see each 201 CMR 17.00 requirement mapped out and which section of our Instant Security Policy covers it.

Okay, I understand.  But is my business affected by this law?

This law is unique in that it doesn’t only apply to companies located in Massachusetts. If you or your company use, store, or transmit any personal data belonging to a Massachusetts resident, you need to be Mass 201 CMR 17.00 compliant.

What type of personal data are we talking about? Mass 201 CMR 17:02 defines personal data as the first name or first initial and last name of a Massachusetts resident in combination with any one of the following pieces of information:

  • Credit or debit card number
  • Financial account number
  • Social security number
  • Driver’s license or state-issued ID number

These personal data points are the common denominator in banking, finance, healthcare, education, and private business.  We count our customers among all of these industries, both large and small.

We’re a smaller company.  What’s best for us?

Smaller companies are particularly vulnerable to Mass 201 CMR 17.00 regulations because they often do not have:

  • Comprehensive written information security policies (WISP)
  • Full-time IT personnel responsible for data protection
  • Adequate IT budgets
  • High-level encryption
  • Data protection measures beyond basic user authentication, firewall, and malware capabilities

As a small business ourselves, we understand how difficult it is for other small businesses to implement these changes without help.  While Massachusetts (OCABR) appreciably published a few guides to help small businesses get started, takes you a step further and expedites the entire policy development process in just minutes.  See for yourself.

Why has created thousands of security policies for small and large companies since 2008.  We’ve made security policies easy for those who must meet government regulations.  We have helped companies in a variety of industries achieve compliance with Mass 201 CMR 17.00 since its inception on March 1, 2010, and continue to do so.  We specifically created data protection policies like the Gold Security Package for the purposes of demanding laws such as Mass 201 CMR 17.00, and allow you to customize it to your individual needs.  Best of all, it takes just a few minutes!

Here are what a few customers had to say:

“Your product saved me many hours of boring work, thank you.”
– Jim Owens - IT Manager, Portland, Maine

“Your policy wizard was quick and easy to get the policies I need for my company.”
– Ron Satterfield - IT Manager, Cambridge, MA

“We used your product to help us achieve compliance with Massachusetts 201 CMR 17.00 without having to spend dozens of hours developing the policies ourselves.”
– Linda Neal - CISO, Boston, MA

“Getting a Massachusetts 201 policy from you saved me many hours and allowed my company to be compliant today.”
– Trent Comer - IT Manager, Boston, MA

See more Customer Testimonials Here!

I still have questions.  Where can I go to find out the answers?

Please take advantage of the resources below.  We are confident that the more you know about Mass 201 CMR 17.00, the more you will appreciate the value provides your company.

For more information on Massachusetts 201 CMR 17.00 from the Commonwealth of Massachusetts, please visit:

Frequently Asked Questions
Compliance Checklist
Small Business Guide

Have your own 201 CMR 17.00 compliant policy on your desk today – CLICK HERE!

Buy Now

Selected Client Logos

Client Logos