On March 1, 2010, the Office of Consumer Affairs and Business Regulation is scheduled to begin enforcing the new Massachusetts identity theft regulation, also known as 201 CMR 17:00 (“Regulation 201”). Regulation 201 establishes standards for the protection of personal information of Massachusetts residents.

What Does Regulation 201 Cover?

Regulation 201 requires individuals, corporations, associations, partnerships and other legal entities (but generally excluding governmental organizations) that possess “personal information” about Massachusetts citizens to develop, implement and maintain a comprehensive written information security program. The scope of Regulation 201 is broad and compliance is triggered based on the records – not the location of the covered entity. For example, a California company would need to comply with Regulation 201 if it held records containing personal information about Massachusetts residents.

Regulation 201 sets out specific measures that covered entities must take to be in compliance. In addition to creating a written program, entities are obligated to:

  • designate personnel with responsibility for the program
  • assess the existing security measures designed to protect records containing personal information of Massachusetts residents and improve measures where foreseeable risks have been identified
  • obtain contractual assurances from third parties that are given relevant records by the covered entity (for example, an outside payroll company)
  • implement physical and electronic security measures to protect the confidentiality and integrity of relevant records including, but not limited to, technical access controls and encryption of electronic records
  • provide employee training
  • regularly review the program and revise it as necessary