MA Regulations- Protection of Personal Information of MA Residents 201 CMR 17.00

This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own or license personal information about a resident of the Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. The objectives of this regulation are to insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.

Every person who owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00. A civil penalty of $5,000 USD may be levied for each violation of M.G.L. 93H, 201 CMR 17.00. In addition, under the portion of M.G.L. 93I concerning data disposal, businesses can be subject to a fine of up to $50,000 for each instance of improper disposal.

Download 201 CMR 17.0