Massachusetts Data Protection Law

201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth Massachusetts will require businesses which own, license, store or maintain personal information about a resident of the Commonwealth to follow comprehensive information security requirements. The goal is to safeguard personal information contained in both paper and electronic records. Any and all organizations with operations and/or customers in the state of Massachusetts must adhere to these standards by March 1, 2010.

In order to comply with the Computer System Security Requirements of this new Massachusetts Data Protection law, organizations must:

  • Control passwords to ensure they are kept in a location and/or format which will not compromise the security of the data they protect
  • Encrypt all personal information stored on laptops or other portable devices
  • Ensure reasonably up-to-date firewall protection and operating system security patches, designed to maintain the integrity of the personal information
  • Ensure up-to-date versions of system security agent software, which must include malware protection and up-to-date patches and virus definitions


Security Management Solutions from Lumension Ensure Protection of Personal Information

Endpoint management and security software from Lumension addresses 201 CMR 17.00 compliance challenges, protects personal information and improves operational efficiencies. These solutions include:

  • Lumension® Patch and Remediation – Reduces organizational risk and optimizes IT operations through the timely, proactive elimination of OS and application vulnerabilities across all endpoints and servers. Heterogeneous platform and 3rd party vulnerability content support includes Microsoft® Windows®, UNIX®, Linux®, Apple®, Adobe®, Oracle® Java™ and more.
  • Lumension® Content Wizard – Delivers customized extensibility through wizard-driven and custom scripting tools to take any action on endpoints including deploying and removing software, remediating configurations, performing systems management tasks and delivering custom patches.
  • Lumension® Security Configuration Management – Ensures that endpoints are securely configured and in compliance with industry best practices and regulatory mandates while reducing configuration drift.
  • Lumension® AntiVirus – Provides blacklist protection and removal for all malware including viruses, worms, spyware, Trojans and adware.
  • Lumension® Application Control – Defines and enforces trusted application usage through whitelist policies to ensure that only applications explicitly authorized or trusted are allowed to execute. Includes Advanced Memory Protection to defend against sophisticated memory injection attacks.
  • Lumension® Device Control – Enforces usage policies for device and ports while providing FIPS 140-2 level 2 validated encryption of data on removable media to prevent data loss / theft.
  • Lumension® Disk Encryption – Enables full disk encryption to maximize endpoint security and performance with proven, FIPS 140-2 validated encryption algorithms; and offers encrypted swap and hibernation files for complete security.
  • Lumension® Risk Manager – Comprehensive IT-GRC software that streamlines and automates audit workflows and IT risk management to provide crucial visibility and continuous monitoring across the IT environment to ensure compliance with HIPAA as well as with other pertinent regulations (i.e. PCI), mandates, and internal policies.

Lumension solutions can help organizations protect against targeted attacks, prevent data loss or theft, enforce security policies, prepare for compliance audits, and lower the cost of IT security.  

The Cost of Non-Compliance

The new Massachusetts data security laws are stricter than past regulations and those of other states, which only required businesses to notify people when personal information was lost. The provisions of this new law are subject to enforcement via Massachusetts General Law (MGL) chapter 93A, section 4 which provides for a civil penalty of $5,000 for each violation, and may require that violators pay the “reasonable costs of investigation and litigation of such violation, including reasonable attorneys’ fees.” In addition, the new law establishes a standard that can be used by plaintiffs in civil suits to argue that a business that lost data was negligent.