201 CMR 17.00, explained for the people who have to comply with it.
Massachusetts's data security regulation is one of the oldest in the country, one of the shortest, and one of the most widely ignored — right up until a breach makes it suddenly very expensive. Here's a plain-language walkthrough, written for the people inside companies who actually have to carry it out.
Most Massachusetts companies we talk to treat 201 CMR 17.00 the way most people treat the emergency information card in an airline seat pocket. They know it exists. They assume someone more qualified has looked at it. They intend to review it at some point. They have never actually read it.
That was a defensible posture in 2012. It is not defensible now. The regulation has been in force since 2010, has survived intact through every wave of federal privacy legislation, and is the specific framework the Massachusetts Attorney General's office cites in breach notification letters and enforcement actions. It is also, despite the reputation, extremely readable. The entire regulation is about nine pages long.
Here's what it actually says, what it actually requires, and what most organizations miss.
Who it applies to.
Any person or entity — meaning any business, regardless of where it's headquartered — that owns or licenses personal information about a Massachusetts resident. That is it. The regulation is triggered by the presence of one record about one Massachusetts resident in your systems. You do not have to be a Massachusetts company. You do not have to do most of your business in Massachusetts. If you have one employee, one customer, or one applicant who lives in the Commonwealth, 201 CMR 17.00 applies to you.
"Personal information," for the purposes of the regulation, is specific. It means a Massachusetts resident's first name (or initial) and last name, in combination with at least one of: Social Security number, driver's license or state-issued ID number, or financial account number. Not email address. Not phone number. Not IP address. The triggering data set is narrow, but it is also the one most commonly implicated in actual identity theft.
Does your HR system contain Massachusetts employees with SSNs? Does your customer database contain Massachusetts customers with stored credit card numbers? Does your applicant tracking system contain Massachusetts job seekers with driver's license numbers? If yes to any, 201 CMR 17.00 applies.
What it requires.
The regulation is built around one central obligation: every covered entity must develop, implement, and maintain a written Comprehensive Information Security Program — a WISP. That single document is the spine of the entire regulation. Every specific control the regulation requires is really an element that must appear in the WISP.
The WISP must include administrative, technical, and physical safeguards that are appropriate to the size of the organization, the amount of resources available, the nature of the data held, and the need for security. It is explicitly a risk-based regulation — the law does not demand that a fifteen-person professional services firm deploy the same controls as a Fortune 500 bank. It does demand that each of them have a written program that reflects the controls appropriate to their situation.
Specifically, a compliant WISP must include:
- Designation of one or more employees responsible for the program.
- Identification and assessment of reasonably foreseeable internal and external risks to the security of personal information.
- Ongoing employee training on the WISP and the organization's security practices.
- Security policies regarding the storage, access, and transportation of records containing personal information.
- Disciplinary measures for violations of the WISP.
- Prevention of terminated employees from accessing personal information.
- Oversight of third-party service providers, including verification that they are capable of maintaining appropriate security measures, and contractual requirements that they do so.
- Restrictions on physical access to records containing personal information.
- Regular monitoring of the WISP to ensure it is operating in a manner reasonably calculated to prevent unauthorized access or use.
- Review of the scope of the WISP at least annually, or when there is a material change in business practices.
- Documentation of responsive actions taken in connection with any breach.
The technical requirements.
Section 17.04 of the regulation spells out the technical controls that a compliant WISP must include "to the extent technically feasible." These are the most specific, and the most frequently missed:
- Secure user authentication protocols — password management, access controls, secure access methods. Unique user IDs and reasonably secure passwords.
- Secure access control measures — restricting access to personal information to those who need it to perform their jobs.
- Encryption of all transmitted records and files containing personal information that will travel across public networks. Translation: TLS on email, TLS on web, VPN for remote access.
- Encryption of all personal information stored on laptops or other portable devices. This is the single most frequently non-compliant control we find in assessments. Full-disk encryption on every laptop that touches personal information is, in 2026, the baseline.
- Reasonable monitoring of systems for unauthorized use of or access to personal information.
- Reasonably up-to-date firewall protection and operating-system security patches for files containing personal information on systems connected to the internet.
- Reasonably up-to-date antivirus and anti-malware software.
- Education and training for employees on the proper use of the computer security system and the importance of personal information security.
The regulation is not asking whether you have an information security program. It is asking whether you have a written one, kept up to date, that reflects these specific controls. Most companies have controls. Fewer have the document.
Where organizations actually fall short.
In the 201 CMR 17.00 compliance assessments we've run over the last two years, the pattern of non-compliance is consistent:
- No current WISP, or a WISP that hasn't been updated since 2019. The regulation explicitly requires annual review.
- Unencrypted laptops. Full-disk encryption is technically feasible on every laptop sold in the last decade. There is no excuse, and this one is enforceable.
- No documented vendor oversight process. Most organizations have contracts with vendors; fewer have a repeatable process for assessing those vendors' security practices and documenting the results.
- No employee training program. Or a training program that was last delivered to the current CEO's predecessor.
- No incident documentation. When a near-miss happens, it needs to be documented. When a breach happens, the responsive actions need to be documented. This is where the AG's office starts reading when things go wrong.
What a compliant WISP actually looks like.
A working WISP is not a 60-page document. It is a concise, specific, and operational document that answers the questions the regulation asks, in the language that an auditor — or an employee following it — can actually use. The best WISPs we've worked with are fifteen to twenty-five pages and read like an operating manual, not a legal brief.
It names the person responsible. It enumerates the kinds of personal information the business handles, and where. It lists the specific safeguards in place and maps each one back to the requirement it satisfies. It includes the incident response process, the training curriculum and cadence, the vendor oversight process, and the annual review schedule. It is, in other words, the real operating document for the security program — not a shelf document produced once and forgotten.
The organizations that get this right treat the WISP as a living document that tracks with the business. The ones that don't treat it as a compliance artifact and discover, during the post-breach inquiry, that it bears no resemblance to how the business actually runs. The distinction matters a great deal to the Attorney General's office, and it matters to cyber insurance underwriters, and it matters to the customers who read the incident notification letter.
The regulation has been in force for fifteen years. It is unlikely to be repealed. The cost of coming into compliance is almost always smaller than the cost of being caught out of compliance.
About Colossus. Colossus Technologies Group is a veteran-led data governance and cybersecurity firm headquartered in Boston. Our Data Governance practice includes 201 CMR 17.00 compliance assessments, WISP drafting, HIPAA program development, and AI governance framework design. This piece reflects the pragmatic approach we take with our Massachusetts clients.
This article is general information about Massachusetts's 201 CMR 17.00 regulation and is not legal advice. Organizations with specific compliance questions should consult with qualified counsel.