Compliance Services

201 CMR 17.00 Mass Privacy Law
The Massachusetts Office of Consumer Affairs and Business Regulations (OCABAR) issued a comprehensive set of regulations establishing that any business that collects and maintains personal information of a citizen of the Commonwealth of Massachusetts must comply with the regulations set forth in 201 CMR 17.

The storage of this personal information (i.e., social security numbers, credit card information, or other personal data) on your computer network means that you need to comply with the network security measures set forth in the law. If you do not have a dedicated IT professional employed, we strongly recommend that you work with a certified IT professional from SourceOne who can review your network, provide your company with a Written Information Security Plan (WISP), as well as provide ongoing network maintenance to ensure its security and compliance.

The following are 8 key areas that can be evaluated by SourceOne in an effort to analyze your network in preparation for developing and implementing your Written Information Security Plan (WISP).

  • Utilize a Certified IT Professional from SourceOne
  • Password Security
  • Network Antivirus Protection
  • Email Virus and Spam Protection
  • Laptop Security Encryption
  • USB and Portable Storage Devices
  • Email Security Encryption
  • Network Firewall

Does my business need to comply?
All businesses and other legal entities that own or license personal information about a resident of the Commonwealth is required to develop, implement, and maintain a comprehensive information security program applicable to any records containing such personal information. Personal information will frequently be included in payroll records, employee and candidate HR files, student files, patient data, and certain consumer related files.

What if I don’t comply?
A civil penalty of $5,000 may be levied for each violation of M.G.L. 93H 201 CMR 17.00. In addition, under the portion of M.G.L. 93I concerning data disposal, businesses can be subject to a fine of up to $50,000 for each instance of improper disposal.