What are 93H & 93I?


Massachusetts General Law Chapter 93H is a law requiring all businesses in Massachusetts to take serious measures to prevent identity theft.  Any business holding the name of a Massachusetts resident and their Social Security Number, Driver’s License Number, or financial account number (including credit or debit card numbers) is subject to this new  Massachusetts data protection law.  93I requires the shredding or destruction of any paper files containing sensitive information and the erasure or destruction of any electronic files or data storage devices containing personal information of employees or customers.  93I also requires a written policy regarding the disposal of sensitive information.

What must we do?


Among the compliance standards for this new data protection law include the following:


A written comprehensive information security program (CISP). 


Controls on employees’ access of sensitive information, including physical security safeguards, computer user access levels and user authentication protocols.


Security measures on computer information systems, including data encryption, anti-virus and anti-spyware software, and firewalls.


Periodic review of audit trails and monitoring of systems for unauthorized access.


Proper disposal of sensitive information, as outlined in new Massachusetts data protection laws.

How can GraVoc help?


In addition to being a leader in information systems and financial consulting, over the last several years, GraVoc has expanded its range of services to cover information security. GraVoc will work to keep your company compliant with Massachusetts data protection and privacy laws.  GraVoc’s information security practices have a tremendous reputation in the banking industry—the most heavily-regulated industry in the country.  Over the last decade, GraVoc has helped over 65 regional banks and credit unions design information security policies, perform risk assessments, comply with strict regulations, and keep financial information safe.  As MGL 93H and 93I does not discriminate by industry, neither does GraVoc.

GraVoc can:


Help you design policies regarding information security, acceptable use, information technology, vendor management, and incident response so that you can document your compliance with these strict regulations.


Perform a vulnerability assessment of your information technology infrastructure to diagnose your weaknesses and prescribe solutions to keep your information technology safe.


Perform a risk assessment, taking into account the standards of MGL 93H and 93I, to identify how strong your controls are for protecting this sensitive information and where you need improvement.


Help administer cost-effective hardware and software solutions to make your business more secure, including data encryption, anti-virus, malware, and spyware software, network infrastructure and firewall improvement, and even employee training.

Is it so expensive that we should take our chances?


GraVoc’s programs regarding 93H and 93I are scalable and GraVoc is willing to scale our services to the size of your budget.  These two laws are especially ambitious, and GraVoc is committed to helping our customers be proactive.  We can work together to prevent identity theft.

HOME  |  COMPANY  |  SERVICES  |  SOLUTIONS  |  SUPPORT  |  CONTACT  |  BLOG

Copyright © 2010 GraVoc Associates Inc.   Privacy Policy

What are the penalties?


A violation of 93H levies fines of up to $5000 per record compromised.


A violation of 93I levies fines of up to $100 per record compromised with a maximum of $50,000.


This does not take into consideration the loss of your company’s hard-earned reputation and the potential loss of credit.

MGL 93H & 93I

Contact USmailto:nateg@gravoc.com?subject=Information%20Security

Learn more by watching our video

View Case Study

Spruce Environmental Technologies, Inc.