{"id":3606,"date":"2024-03-12T13:39:11","date_gmt":"2024-03-12T19:39:11","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=regulations&p=3606"},"modified":"2024-03-21T13:34:21","modified_gmt":"2024-03-21T19:34:21","slug":"massachusetts-sppi","status":"publish","type":"regulations","link":"https:\/\/trustarc.com\/regulations\/massachusetts-sppi\/","title":{"rendered":"Massachusetts Standards for the Protection of Personal Information"},"content":{"rendered":"\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t\tRegulation<\/span>\n\t\t\t\t\t\t\t\t\t\t

Massachusetts Standards for the Protection of Personal Information<\/h1>\n\t\t\t\t\t

The Massachusetts Standards for the Protection of Personal Information, also known as \u201c201 CMR 17.00\u201d establishes minimum standards to be met by organizations who own or license personal information about a resident of the Commonwealth of Massachusetts in connection with the safeguarding of personal information.<\/p>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t\t

\n\t\t\t
\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t

Are you subject to the 201 CMR 17.00?<\/h2>\n

The 201 CMR 17.00 applies to those engaged in commerce and who collect and retain personal information in connection with the provision of goods and services or for the purposes of employment. The regulation does not apply, however, to natural persons who are not in commerce.<\/p>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t

\n\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t

Obligations & rights under the 201 CMR 17.00<\/h2>\n\t\t\t\t\t\t\t\t\t\t\t\tThis regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records.<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t

Information security program<\/h4>\n

Organizations that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to: (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\t\t

Computer system security requirements<\/h4>\n

Organizations shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/section>\n\t\n\n\t

\n\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t

Form of consent<\/h4>\n

Continuous monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\t\t

Vendor management<\/h4>\n

Oversee vendors by taking reasonable steps to select and retain third-party vendors that are capable of maintaining appropriate security measures to protect such personal information consistent with 201 CMR 17.00. There should be contracts in place with vendors requiring them to implement and maintain appropriate security measures to protect personal information.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/section>\n\t\n\n\t\t

\n\t\t\t
\n\t\t\t\t\"\"\t\t\t<\/div>\n\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\tWebinar<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t

Mitigating Third-Party Risk: Best Practices for CISOs<\/h2>\n\t\t\t\t\t\t

Join us for an insightful and informative webinar as we delve into mitigating third-party risks. This webinar will provide essential strategies and best practices to ensure robust security and privacy measures when collaborating with external entities.<\/p>\n\t\t\t\t\t\t