The Massachusetts Data Protection Law, sometimes referred to as Massachusetts General Law 93H & I or 201 CMR 17.00, goes into effect on January 1, 2010, and the general consensus is that the effective date is NOT going to be delayed for a third time. This law requires all companies with “personal information” pertaining to a Massachusetts resident to have a comprehensive written information security policy. It also requires companies with any personal information to undergo reasonably-daunting efforts to protect both paper and electronic files to prevent a data breach.

“Personal information” is defined as a person’s name or first initial and last name in conjunction with a social security number, a government issued ID number, a driver’s license number, or a financial account number (including credit and debit card number). This covers both customer information and employee information, so virtually every business in the state will have to comply with this law.

The many provisions required by this aggressive law include procedural controls, physical controls, and technological controls. Among the more challenging measures to be mandated under this law are the following:

  • A comprehensive, written information security policy regarding the protection of information both in physical and electronic forms.
  • A vendor management program that ensures that all vendors, service providers, and contractors with access to personal information are also taking adequate measures to curb identity theft and data breaches and to become compliant with this law.
  • Higher levels of physical information protection, such as the use of locked containers and the employment of locked facilities.
  • Challenging standards for electronic data protection, including the encryption of hard drives and portable devices like laptops, PDAs, and flash drives that contain personal information.

As this law sets very high standards and expectations and threatens to levy strict fines against noncompliant businesses, small and midsized businesses may not know where to turn. GraVoc’s information security team has been monitoring the law’s provisions and its evolution over the past year.  GraVoc is committed to helping clients comply with this law and proactively quell the risk of data breaches and identity theft.

GraVoc Associates, Inc, a full-service consulting firm based in Peabody, MA, is celebrating 15 years of business in Greater Boston and throughout New England. GraVoc offers a wide range of services in the fields of information security, information systems, and technology and financial services, including Massachusetts Data Protection Law compliance services. For more information on GraVoc’s information security work in the highly-regulated financial industry or more information about 93H compliance services, please visit