Welcome to MassDataSafety.com and 201CMR17.com
Sponsored by Computer Care and Learning

If you want a supportive environment to:

we offer a workshop designed for you.

Or if you prefer, you can purchase access to the template now, and decide later to attend a workshop. We strongly recommend that you attend a workshop, as it will make the template much more valuable to you.


This website is designed to help you learn about the Massachusetts data safety regulations, which went into effect on March 1, 2010.

These regulations apply to ALL businesses and organizations, large and small, handling information about people from Massachusetts that could be used for identity theft. It is surprising how broad this is. For example, if you run a veterinary clinic and you take personal checks, which are printed with checking account numbers, these regulations apply to you. If you employ even one person, you are required to keep W-4 and I-9 forms, which have Social Security numbers, and the regulations apply to how you handle those forms. If you are a large clothing company with multiple locations, and you store millions of customer credit card numbers, these regulations apply to you. If you are a restaurant, they apply too. The good news is that the regulations specifically recognize that the amount of personal identity information you handle and store affects how much effort and money you must put in to comply.

Why is it called 201 CMR 17.00?

The official name of the new data protection regulations is 201 CMR 17.00.

The checklist at https://www.mass.gov/ocabr/docs/idtheft/compliance-checklist.pdf may be useful too, but note that it warns that following the checklist does not in itself guarantee compliance with the regulations.

We hope you enjoy this site and find it useful. Please post your comments, questions and suggestions to our forum / blog (201cmr17.wordpress.com).

This site is sponsored by Computer Care and Learning (ComputerCareAndLearning.com), a Boston-based computer helping company. Almost all the requirements of the Massachusetts Data Security law are practices we've strongly recommended to our customers since 1991, so we are particularly qualified to help companies and individuals learn about and comply with them. Please call us at 617‑522‑1049 to discuss how we can help you carry out the steps described on this site.

Warning and Legal Disclaimer

Our goal is to help you comply with the Massachusetts data privacy regulations (201 CMR 17.00). Since these regulations have legal and computer implications, we strongly recommend you consult with your attorney and your computer helpers, as you strive to comply with these rules. The suggestions and other information in this site are not intended to replace the advice of your attorney and computer professionals, and the information provided here is presented "as is", and no warranty is made as to fitness to your situation. This site is not officially endorsed by the Massachusetts Office of Consumer Affairs and Business Regulation (https://www.mass.gov/ocabr/), although we hope that the people in that office appreciate our efforts. 

What is "Sensitive Information”?

Sensitive Information is:

What is “Personal Information”?

The formal definition of Personal Information (PI) in 201 CMR 17.00 is: "a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public."

What do you need now?

We recognize that people come to this site with different goals, so we provide several paths for visitors.

Quick compliance path

All organizations in Massachusetts and all organizations outside of Massachusetts that handle information about Massachusetts residents which could be used for identity theft must take these steps. Naturally, if you handle little or no personal information, these steps are going to be easier for you, but you still must take them. This is similar to the rule that you must fill out an IRS Form 1040 even if you have little or no taxable income.

The authors of the regulations, David Murray and Gerry Young, emphasize that the demands of the regulation depend on the size of the organization and the amount of Private Information it handles. If you are a veterinary clinic and the only personal information you handle is personal checks and your own employee records, your obligations under 201 CMR 17 are less heavy than if you are a CPA firm that handles client financial records, and far less heavy than the TJX Corporation, which handles millions of credit card transactions. Your job is to apply the appropriate amount of "201 CMR 17-ness" to keep safe the Private Information your organization handles.

201 CMR 17.00 requires that your organization take three concrete steps to prevent identity theft:

Let’s look at how to carry out these three steps.

Step One: Appoint an Information Security Manager

Your Information Security Manager (ISM) should have good computer skills, good leadership skills, have a good handle on office procedures and get along well with people. This job takes thoroughness, tact, a willingness to learn, and an enthusiasm for teaching.

In our opinion, this is the most essential step in implementing 201 CMR 17, and the one on which your success, or lack of it, hinges. We suggest you choose someone who has been with your organization for some time and knows different parts of it well. It also helps if she has an active, healthily suspicious imagination. Someone who reads spy novels in his spare time is a good find. The person needs to be flexible and able to deal with frustration, and needs to know how to work well with vendors and support organizations. If you can't get all this in one person, consider choosing a team of two with complementary skills.

Step Two: Write and approve an Information Security Policy (ISP)

Your Information Security Manager should write an Information Security Policy (ISP) that is simple and pleasant to read and use. The ISP should enforce basic standards for keeping Personal Information out of the hands of hackers, burglars, and people inside the organization acting unscrupulously. Your legal counsel and your computer helping organization should look it over, and the Owner / CEO of the organization must approve it. You may want Board approval as well.

Rather than going on about how to create one, we invite you to look at a simple Information Security Policy.

Step Three: Your Information Security Manager (ISM) must help your staff carry out the Written Information Security Plan (ISP) and audit compliance regularly.

However you develop your written Information Security Plan (ISP), have your Information Security Manager (ISM) lead the implementation and upkeep of the ISP. Review the ISP and its implementation at least annually, or when a significant change happens that could affect the ISP, such as personnel change, change in industry safety standards, or the way you implement security.