Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

  • Twitter
  • Facebook
  • LinkedIn

Understanding The New Massachusetts Data Protection Law

After months of defining, redefining, extending deadlines and planning, a new law in Massachusetts that affects all businesses that handle personal data of Massachusetts residents is finally about to go into effect. According to Massachusetts 201 CMR 17:
"The objectives of this regulation are to insure (sic) the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer."

The implication for businesses is clear: regardless of where your business is physically or operationally, if you handle or store the personal information of any Massachusetts resident, you are legally obligated to protect that information. Failure to comply with MA 201 CMR 17 could result in fines of up to $5,000 per violation, although "per violation" has yet to be clearly defined.

Barring any unforeseen changes, the deadline for compliance with the new law is March 1, 2010. The date has already been pushed back three times; MA 201 CMR 17 was originally scheduled to go into effect on January 1, 2009, but some parts were delayed until May 1, 2009, and others were then extended until January 1, 2010. The entire law was finally set to enact on March 1, 2010 and some businesses are still struggling with the ability to comply with certain aspects of the legislation. While larger businesses may already have many of the law's requirements in place, such as a security training program or a formal written information security plan, some smaller businesses are still trying to determine how to comply with directives such as:

"Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information."

In most cases, achieving compliance with MA 201 CMR 17 will take not only time and effort but also capital expenses that can affect a business' bottom line.

Under MA 201 CMR 17 subsection 17.04, titled "Computer System Security Requirements", several points address the need for systems to be maintained and monitored:

(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information; (6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information. (7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

One of the issues commonly discussed regarding MA 201 CMR 17 has been scalability. For smaller organizations with just a handful of computers, compliance with these points may be as simple as turning on Windows Update for operating system patches, turning on daily automatic updates for antivirus software and spot-checking systems on a monthly basis to ensure that updates are applied. For larger businesses such as banks, hospitals and retail chains, managing hundreds or thousands of computers (as well as their entire network infrastructures) generally requires a full-time IT staff. Monitoring each and every node on the network, in addition to other administrative tasks, is a daunting task. Whether monitoring is performed manually or through automated technology solutions, there is the very real possibility that compliance with MA 201 CMR 17 will incur a significant financial expense.

Another commonly discussed issue in the law is that of "Encryption of all personal information stored on laptops or other portable devices". One school of thought states that personally identifiable information (PII) should never be stored on portable devices in the first place. The law defines PII as:

"A Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number[...]"

As the following chart shows, that has not been the case historically and will probably not be the case going forward:

Chart courtesy DataLossDB (http://datalossdb.org/) and the Open Security Foundation

Even though MA 201 CMR 17 addresses encryption of PII on laptops, portable devices and over public and wireless networks, it is a good idea to know exactly where ALL of your sensitive information resides, regardless of whether it is inside your corporate network or "out in the field". Several state breach notification laws specifically exempt entities from breach notification if it can be proven that lost or stolen data was encrypted. However, you have to know where the data was lost or stolen from in order to know whether or not it was encrypted. All devices containing PII must be inventoried and monitored on a regular basis to ensure compliance with MA 201 CMR 17.

Tenable offers a Unified Security Monitoring suite of products that can assist in complying with this new legislation. Through the Security Center, the Log Correlation Engine (LCE) allows you to monitor logs from your assets and alert you when a computer or other device has possibly fallen out of compliance with your security baselines or standards. The Passive Vulnerability Scanner (PVS) continuously monitors traffic across your network, tracks thousands of client and server application vulnerabilities, detects when new hosts are added to the network and detects which applications and servers host or transmit sensitive data. The Nessus vulnerability scanner performs configuration audits, finds missing patches and upgrades and scans for credit card numbers, Social Security numbers and other types of sensitive information. Together, these products offer a powerful and flexible solution to help ensure compliance with a wide variety of security and compliance standards, as well as regulations and legislation such as MA 201 CMR 17.

One last reminder that comes straight from MA 201 CMR 17 itself:

17.05: Compliance Deadline

(1)Every person who owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now

Try Tenable.io


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a Demo

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.

Request a Demo


Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.