How to Comply with New Massachusetts Privacy Regulations
By Matthew J. Putvinski

Matthew Putvinski
Matthew Putvinski
Massachusetts’ tough new data privacy law increases the responsibility of nonprofits for safeguarding personal information they collect and significantly increases potential penalties in connection with data breaches #147; which will inevitably occur.

If your organization has as little information about a customer, member, employee, or donor as a first initial with last name, combined with a Social Security number, state issued identification number, financial account, credit, or debit card number, you must comply with the new law, commonly referred to as CMR 17.

Your organization will also be held accountable in the event of a security breach, and therefore you should be able to demonstrate that you complied with the regulations.

Here are ways to help your organization comply with CMR 17.


Document ways in which you may have access to or store the personal information of Massachusetts residents. That includes:
  • The information that relates to social security, driver’s licenses, or financial account numbers.
  • Where the data is stored (paper versus electronic).
  • The vendors that receive this information.
  • The reasons you have this information.
Assess Your Vendors

You must ensure that the contract with vendors who share this information includes clauses stating that they will be in compliance with CMR 17. This will be required in all contracts by March 1, 2012. Ask the vendors to provide you assurance that they are meeting the regulations in the form of a simple letter attesting to the regulation or by providing a copy of their written information security program.

Lock Down the Paper

Consider where paper documents are stored and if they can be locked down #147; a locked cabinet with a key nearby doesn’t count. Employees should clean their desks at night, and your agreement with the cleaners should stipulate their accountability if their employees take your information.

Destroying your documents is important. Using standard garbage bins is unacceptable. If you find yourself disposing of a minor amount of data, utilize a good shredder. Larger amounts of paper should be handled by professional shredding companies.

Protect Your Files

If you outsource your information technology (IT) function, it’s important to ask whether their company is sufficiently compliant with the regulation.

Servers and desktops in your office collect a variety of activity data. It’s imperative that you work with your IT administrator to collect and review this information. This is helpful for two reasons:
  1. It will flag unusual activity. Depending on the risk, it may be worth investing in software applications that look for unusual activity, rather than having your employees trying to search through all of the data.

  2. It gives a history of what happened. If you suspect a breach, the first thing any forensics expert will do is review the logs.

The encryption requirement is probably one of the most costly elements of the regulation. If data that contains social security numbers, driver’s license numbers, or financial account numbers reside on a portable device such as a laptop, smartphone, flash drive, or backup tape, it should be encrypted.

Wireless access is an extremely cost effective tool but if it is not set up properly, someone can simply sit outside your office and collect your data. Encryption is critical on these devices.


The law requires that you inform employees of their responsibilities for securing your information. It’s important that as a part of this training you not only educate them on what they must do, but also help them understand why. You need to build a culture around the office where security is on the minds of employees.

Prepare for a Breach

It’s not a matter of if a breach occurs but when it will occur, so right now identify:
  • The steps will you take when a breach occurs.
  • What needs to be communicated to the state.
  • What needs to be reported to those whose information was exposed.
  • The forensic specialist you will call.
  • The attorney who can help you respond appropriately.
  • Your media response and spokesperson.
Matthew Putvinski CPA, CISA, CISSP, serves as director of Wolf and Company's Information Technology (IT) Assurance Services group. He can be reached at or 617-428-5479.
September 2011