The document summarizes the key points of the Massachusetts data privacy law 201 CMR 17.00. It outlines that all entities that own or license personal information of Massachusetts residents must comply with the law by March 2010. This includes designating a security officer, implementing a written information security plan, training employees, and reporting any breaches. The law requires safeguarding electronic and physical records, using encryption on emails and portable devices containing personal data, and securely storing paper records. To comply, companies should assess their security, create an action plan, write a security policy, train employees, and monitor/update the policy annually. Overall, following this law carefully is important to maintain client trust and relationships.

1. The Big Event 2009
201 CMR 17.00
Personal Information Security
Jason Hoeppner, CIC
B. H. Burke & Co., Inc.

2. 201 CMR 17.00
The Basics of the Law
(note, these are my own thoughts and should not be construed as legal advice):
• All entities that own or license personal information (names connected to
SSNs, drivers’ license #s) about a resident of MA must comply with this
law by March 1, 2010.
• Every agency must have a designated Security Officer and a written
information security plan (WISP) in place.
• All employees must be trained on the security plan.
• The safeguarding of this information applies to physical security as well as
electronic security (paper and computer files as well.)
• If a breach occurs, it must be reported and the corrective actions must be
taken.

3. 201 CMR 17.00
What Does It Mean?
• Network security and password policies must be up‐to‐date and enforced
No yellow sticky notes with passwords!!!!!
• Emails that contain personal information (PI) must be encrypted as much
as it is technically feasible and reasonable. My thought here is that you
cannot go completely without encryption of some type.
• Any portable devices (e.g., laptops, thumb drives) that store PI (even in a
copy of an email or other document) must be encrypted.
• Wireless networks must be encrypted.
• Paper records must be stored in a secure, locked area and accessible only
to those employees who need access. Ideally all files (even management
system screens) should never be visible to customers or personnel who do
not work for the agency.

4. 201 CMR 17.00
What Do I Need to Do as an Agency Owner/Principal?
1. Read the law.
2. Designate a Security Officer/Manager.
3. Have the Security Officer read the law.
4. Conduct a security assessment based on the requirements of the law.
5. This can be a self assessment, or better yet, an assessment by an outside
consultant with experience and understanding of the law to give you an
objective security review of your agency.
6. With the gaps identified in step 4, create an action plan to close the
compliance issues.
7. With the results of steps 4 and 5, write your security plan (WISP).
8. Train all employees on the WISP.
9. Monitor the items outlined on your WISP.
10.Review & update your plan at least yearly.

5. 201 CMR 17.00
What You Do (or Not Do) in Response
to This Regulation is Important!
Think of this from your clients’ point of view. If the law is not
addressed in the appropriate manner and there is a resulting
breach, the results could be extremely negative for your agency.
On the other hand, a conscientious and transparent approach to
this will build on the trust and strong relationships you have with
your customers.

6. Questions?
Jason Hoeppner, CIC
B. H. Burke & Co., Inc.
Jason@bhbco.com
(860) 399‐8288
http://twitter.com/JasonBHBCo
http://www.linkedin.com/in/JasonBHBCo
http://www.facebook.com/JasonBHBCo