3. 201 CMR 17.00
What Does It Mean?
• Network security and password policies must be up‐to‐date and enforced
No yellow sticky notes with passwords!!!!!
• Emails that contain personal information (PI) must be encrypted as much
as it is technically feasible and reasonable. My thought here is that you
cannot go completely without encryption of some type.
• Any portable devices (e.g., laptops, thumb drives) that store PI (even in a
copy of an email or other document) must be encrypted.
• Wireless networks must be encrypted.
• Paper records must be stored in a secure, locked area and accessible only
to those employees who need access. Ideally all files (even management
system screens) should never be visible to customers or personnel who do
not work for the agency.
4. 201 CMR 17.00
What Do I Need to Do as an Agency Owner/Principal?
1. Read the law.
2. Designate a Security Officer/Manager.
3. Have the Security Officer read the law.
4. Conduct a security assessment based on the requirements of the law.
5. This can be a self assessment, or better yet, an assessment by an outside
consultant with experience and understanding of the law to give you an
objective security review of your agency.
6. With the gaps identified in step 4, create an action plan to close the
compliance issues.
7. With the results of steps 4 and 5, write your security plan (WISP).
8. Train all employees on the WISP.
9. Monitor the items outlined on your WISP.
10.Review & update your plan at least yearly.
5. 201 CMR 17.00
What You Do (or Not Do) in Response
to This Regulation is Important!
Think of this from your clients’ point of view. If the law is not
addressed in the appropriate manner and there is a resulting
breach, the results could be extremely negative for your agency.
On the other hand, a conscientious and transparent approach to
this will build on the trust and strong relationships you have with
your customers.