Massachusetts Enacts Strict Standards for the Protection of Sensitive Personal Information


To All Firm Clients –

On March 1, 2010, Massachusetts regulation 201 CMR 17.00 went into effect.  This new regulation will require anyone who collects or stores the names of Massachusetts residents in connection with their social security number, driver’s license number, or credit card or debit card number to develop and maintain a comprehensive information security program.  The information security program must include technical, administrative, and physical safeguards for this sensitive information.

Most states have requirements for companies in the event of a security breach involving sensitive customer or employee information.  However, Massachusetts‘ new regulation is unusual in that it requires companies to take action prior to any breach, and it is unique in the level of specificity of the requirements that it imposes.  For example, among other requirements, companies that collect or store Massachusetts residents‘ sensitive information must now designate a specific employee to oversee their security program, provide ongoing employee training for their security program, take “reasonable” steps to ensure the proper use of sensitive information released to third-party service providers, and, notably, meet very specific computer system security technical requirements such as the use of data-encryption technology and secure user authentication protocols.

Client Advisory

It remains to be seen how vigorous or aggressive Massachusetts will be in enforcing these new regulatory requirements.  However, clients who are concerned with potential compliance issues under this new regulation should contact the firm immediately, as most of the new compliance requirements are already in effect.  Clients seeking additional information or guidance should contact Michael Donahue at or 703-714-1319.

ATTORNEY ADVERTISING DISCLAIMER: This information may be considered advertising in some jurisdictions under the applicable law and ethical rules. The determination of the need for legal services and the choice of a lawyer are extremely important decisions and should not be based solely upon advertisements or self-proclaimed expertise. No representation is made that the quality of the legal services to be performed is greater than the quality of legal services performed by other lawyers

Sign Up To Receive Our
Advisories and Compliance Alerts

Sign up for our email list to receive notifications regarding new advisories and news