The following is an exceptionally brief overview of 201 CMR 17 at the request of a number of our registered subscribers who wanted to have a common sense description that could be shared with less than technically oriented peers on the “business” side of the house. Please continue to contact us with requests and we will continue to write relevant briefs for you.

On January 1, 2010, legislation entitled “Standards for the Protection of Personal Information of Residents of the Commonwealth” (MGL 201 CMR 17.00) will take effect. This law applies to all businesses that operate in Massachusetts as well as businesses throughout the country that maintain or transmit personally identifiable information (PII) on Massachusetts residents. The law applies whether your business has just one computer or 500 computers.

What Is Personally Identifiable Information?
Stated simply, PII is the combination of first or last name, or initials, along with Social Security number, driver’s license number, state-issued ID card number, financial account number, credit card number or debit card number. As an example, if you keep records anywhere on your network, such as in PeopleSoft, file shares, databases, QuickBooks or even in an Excel spreadsheet, that contain information like “John Doe with credit card number 123-456-789-012,” then you are subject to these regulations.

What Do You Need To Do?
The new law provides standards that you need to follow. For example, all PII must be stored in an encrypted format on your computer systems, including mobile laptops and other devices. Failure to comply with the new law can result in serious financial penalties as well as a loss of public confidence.