What is 201 CMR 17.00 and who must comply?

201 CMR 17.00 is the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth. It applies to any business that owns, licenses, stores, or maintains personal information about Massachusetts residents regardless of where that business is located. If you have Massachusetts customers, employees, or residents in your database, this law applies to your business. There is no size exemption.

What is a Written Information Security Program (WISP) and is it required?

Yes. 201 CMR 17.00 explicitly requires every covered business to develop, implement, and maintain a comprehensive Written Information Security Program (WISP). The WISP must designate a security program coordinator, identify the personal information your business handles, assess risks, implement and monitor security controls, and address third-party vendor management. The Massachusetts AG can request your WISP as part of a breach investigation. Triton develops and maintains WISPs for clients as part of managed compliance services.

What technical security controls does 201 CMR 17 require?

The regulation requires secure user authentication with strong passwords and access controls, encryption of personal information transmitted over public networks and stored on portable devices, up-to-date firewall protection, up-to-date security software including malware protection, education and training of employees, and monitoring of the security program effectiveness. These are minimum requirements. The regulation calls for controls reasonable to the size and nature of your business, meaning larger or higher-risk businesses must do more.

What are the breach notification requirements under Massachusetts law?

Massachusetts General Laws Chapter 93H requires that affected Massachusetts residents be notified of a breach as soon as reasonably possible. The Massachusetts AG and the Consumer Affairs office must also be notified. If the breach involves Social Security numbers, the three major credit bureaus must be notified. Triton's incident response program includes a breach notification checklist covering all Massachusetts-specific requirements.

How does 201 CMR 17 interact with HIPAA for Massachusetts healthcare businesses?

Massachusetts healthcare businesses are subject to both laws simultaneously. HIPAA governs protected health information; 201 CMR 17 governs personal information of Massachusetts residents, which substantially overlaps with HIPAA-covered data. Where the two overlap, you must meet the higher standard. Triton builds integrated compliance programs that produce documentation satisfying both frameworks through shared controls rather than managing each as a separate project.

MASSACHUSETTS REGULATIONS REQUIRE A WRITTEN INFORMATION SECURITY PROGRAM

201 CMR 17 Compliance: Pass the WISP Inspection With Documentation on File.

Massachusetts 201 CMR 17.00 has required a Written Information Security Program (WISP) since 2010. The Attorney General reviews it whenever a breach involves Massachusetts residents — and finds gaps every time. We translate the WISP requirements in a 30-minute call. If your current IT can already produce the 12 required elements, you don’t need us.

Updated May 3, 2026

Why WISP templates fail Massachusetts 201 CMR 17 audits

If you came to this page searching for a free 201 CMR 17 WISP template, here’s the honest answer: there isn’t one that will pass a Massachusetts AG audit. The regulation makes templates legally inadequate.

201 CMR 17.03(2) requires every covered business to “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size of the business AND the type of records being maintained.” The phrase “appropriate to” is doing the legal work. It requires the WISP to be risk-based and business-specific. A template — by definition — is neither.

Four reasons a downloaded template fails the audit:

1. Risk assessment is mandatory and must be specific to your operation.
201 CMR 17.03(2)(b) requires identifying “reasonably foreseeable internal and external risks” to your specific personal information. A template lists generic risks. Auditors ask which risks YOUR business identified, when, by whom, and what controls now mitigate them. There is no boilerplate answer to that.

2. Technical safeguards must map to systems you actually run.
201 CMR 17.04 lists specific controls: secure user authentication, access controls, encryption (in transit and at rest), monitoring, firmware updates, firewall protection, antivirus, and security patches. A template that says “use a firewall” does not satisfy the documentation requirement. The auditor wants to see WHICH firewall, configured HOW, monitored by WHOM, reviewed on WHAT schedule.

3. Annual review evidence is required.
201 CMR 17.03(2)(i) requires “reviewing the scope of the security measures at least annually or whenever there is a material change in business practices.” Auditors ask for the review record — date, attendees, findings, changes made. A template provides no review history. The first audit will fail on this alone.

4. Designated responsibility and incident response must match your org chart.
201 CMR 17.03(2)(a) requires designating one or more employees to maintain the WISP. 17.03(2)(j) requires post-incident review and improvement. Both require named people, signed roles, and dated artifacts. A template cannot name your security officer or document your last incident response.

The sections below detail what the Attorney General inspects after a Massachusetts breach, what evidence is required in audit, and the WISP elements that distinguish compliant from non-compliant documentation.

What does 201 CMR 17 actually require?

Massachusetts 201 CMR 17.00 — Standards for the Protection of Personal Information of Residents of the Commonwealth — applies to any person or entity that owns or licenses personal information about a Massachusetts resident. The regulation requires a Written Information Security Program (WISP) with twelve specific elements documented in writing.

The twelve required elements: designating one or more employees to maintain the program, identifying and assessing reasonably foreseeable risks, developing security policies covering personal information storage and access, imposing disciplinary measures for violations, preventing terminated-employee access, overseeing service providers with contractual safeguards, restricting physical access to records, monitoring the WISP’s effectiveness, reviewing program scope at least annually, documenting responsive actions after incidents, training employees, and ensuring third-party service-provider compliance.

The technical computer security requirements (Section 17.04) layer on top: secure user authentication, secure access control, encryption of personal information transmitted across public networks and stored on portable devices, monitoring for unauthorized access, firewall protection on internet-connected systems, current malware protection, and reasonably up-to-date system security agent software.

Massachusetts is the only state that requires WISP-by-statute with prescribed elements. Other states reference “reasonable safeguards” without prescribing the program structure. Compliance with 201 CMR 17.00 typically satisfies state-law analogs in Connecticut, New York, Rhode Island, and most other Northeast jurisdictions — making it the operational baseline for multi-state firms.

What does the Massachusetts AG inspect after a breach?

The AG’s Office and the Office of Consumer Affairs and Business Regulation (OCABR) inspect the WISP first when a breach affecting Massachusetts residents triggers notification. The inspection follows the twelve elements as a checklist — each element either has documented evidence or it does not.

The risk assessment is the most-checked element. 201 CMR 17.03(2)(b) requires identifying and assessing “reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity” of personal information records. A risk assessment that is generic, undated, or copied from a vendor template fails inspection. The AG expects entity-specific analysis with named risks and mapped safeguards.

Service-provider oversight is the second-most-checked. 201 CMR 17.03(2)(f) requires contractual safeguards with vendors handling personal information and ongoing oversight. The contract with the IT vendor, the cloud provider, the payroll processor, and any other vendor in the data path must include specific 201 CMR 17 language. Most firms discover gaps here when they pull contracts during inspection.

Compliance is a snapshot, not a destination. The WISP from when 201 CMR 17 first became enforceable in 2010 does not protect you in 2026 — your data, your vendors, your systems, and the threat landscape all changed. The annual review element (17.03(2)(i)) is required precisely because the program must evolve.

What happens if your WISP fails AG inspection?

Failure to maintain a compliant WISP after a breach typically triggers Assurance of Discontinuance negotiation with the AG. Settlements have ranged from $25,000 for small breaches with cooperative defendants to $7+ million for large breaches with documentation gaps. The AG publishes settlement details, including the specific WISP elements that were missing or inadequate.

Beyond the AG financial penalty, a 201 CMR 17 finding affects every subsequent state-AG inquiry from a breach. NY AG, CT AG, RI AG, and other state regulators increasingly request the WISP first when investigating breaches involving their residents. A WISP inadequate for Massachusetts is typically inadequate for the whole region.

For Massachusetts firms, the OCABR can also seek injunctive relief — court-ordered compliance and ongoing monitoring. The monitoring obligations can run 5-10 years and create operational overhead substantially exceeding the original compliance investment.

The harder consequence is contractual. Many B2B contracts with Massachusetts customers (particularly state agencies, large employers, and healthcare systems) cite 201 CMR 17 compliance as a vendor requirement. A documented WISP failure exposes the firm to contract termination clauses and warranty exposure separate from the AG action.

How does Triton get your firm 201 CMR 17 compliant?

We deploy Sophos Endpoint XDR for endpoint detection and response, Microsoft Defender for authentication and access control, Sophos Firewall enforcing perimeter and internet-facing system protection, and AWS-backed immutable backup with encryption at rest and in transit. We then author the WISP covering all twelve required elements with the technical safeguards mapped underneath.

The stack matters because 201 CMR 17.04 prescribes technical computer security requirements specifically — user authentication, access control, encryption, monitoring, firewall, malware protection, and current security agent software. Each is a separate requirement with documented evidence expectations. Sophos and Defender produce the evidence; AWS provides the encrypted-storage attestation; we map each to the WISP.

We deploy on AWS because downtime is not an option. When a critical system goes down — including the systems holding personal information — AWS support responds with enterprise urgency. Every dollar of downtime is regulatory exposure.

Our typical 201 CMR 17 readiness engagement delivers the WISP, the technical stack with documented evidence, the vendor management procedures, and the annual review schedule inside 60-90 days. We coordinate with outside counsel for the WISP legal review — the attorney signs off on the document; we produce and operate the underlying evidence file.

What evidence does the AG actually want on file for the WISP?

Twelve elements, in the format the AG inspection follows. Each must have documented evidence with revision history.

Why start now? Because the WISP isn't something you can write after the fact.

When a breach occurs and notification to Massachusetts residents triggers AG inspection, the WISP either exists with twelve documented elements or it doesn’t. There is no remediation window after the fact. Building a WISP under post-breach pressure costs 2-3x what proactive readiness costs and produces a weaker document.

Massachusetts firms and Massachusetts-touching firms across the Northeast that we have helped through 201 CMR 17 readiness started 60-90 days before targets. The firms that discovered the requirement during a breach paid for emergency outside counsel, forensic investigators, and rushed program authoring simultaneously — and produced WISPs that subsequent AG settlements quoted critically.

Frequently Asked Questions

Does 201 CMR 17 apply to my CT firm with MA-resident clients?

Yes. 201 CMR 17 applies based on whose personal information you hold, not where you operate. A CT firm with even one Massachusetts-resident customer’s personal information must have a WISP. Multi-state firms across New England typically hold MA-resident data and are in scope.

What counts as personal information?

Personal information under 201 CMR 17 is a Massachusetts resident’s first name (or first initial) and last name in combination with: Social Security number, driver’s license/ID number, financial account number, credit/debit card number, or biometric information. The combination requirement matters — a name alone is not personal information; a SSN alone without the name is not personal information; the combination is.

Does HIPAA exempt our practice from 201 CMR 17?

Partial. HIPAA-covered healthcare entities have a structured exemption for PHI (the Massachusetts regulation defers to HIPAA for that data). Non-PHI data — employee data, marketing data, vendor data — remains in 201 CMR 17 scope. Most healthcare practices have a WISP for the non-PHI data and rely on HIPAA Security Rule for the PHI.

How is the WISP different from a privacy policy?

A privacy policy is a consumer-facing document about what the firm does with data. A WISP is an internal operational document about how the firm protects data. They are different artifacts with different purposes. Many firms have a privacy policy on the website but no WISP — and the AG considers that a 201 CMR 17 violation.

What does 201 CMR 17 readiness cost?

Total readiness investment for a 25-100 employee MA-touching firm typically runs $25,000 to $55,000 in the first year. The split: WISP authoring with outside counsel ($8-18K), risk assessment ($4-10K), technical safeguards stack ($8-18K), vendor agreements update ($3-8K), annual review and training ($2-5K).

Can we use a WISP template from a vendor?

Templates are starting points, not finished products. The AG specifically looks for entity-specific risk analysis and entity-specific safeguards mapped to the firm’s operations. A WISP that copies a template without customization fails inspection. Templates work for structure; the content must be specific.

Does cyber insurance reduce our 201 CMR 17 exposure?

Insurance covers financial loss; it does not satisfy the regulatory requirement to maintain a WISP. The two are complementary. Insurance carriers increasingly require WISP-aligned safeguards as a condition of coverage — meaning compliance work supports both regulatory and insurance needs simultaneously.

Do we need dark web monitoring for 201 CMR 17?

No. Dark web monitoring is a notification service, not a 201 CMR 17 safeguard. The technical computer security requirements (17.04) prescribe specific controls — authentication, access control, encryption, monitoring, firewall, malware protection. Dark web alerts do not satisfy any of these. We do not bundle dark web monitoring and it does not appear in any 201 CMR 17 evidence list.

Founded in 2001

25 Years of IT Expertise

Worcester · Providence · Hartford

Regional Offices

Ranked 84th Percentile Nationally

National Benchmark

Under 10 Minute Response

Third-Party Verified

HIPAA · CMMC · SOC 2 · PCI

Multi-Framework Compliance

Let's Discuss Your IT Needs

Triton Technologies delivers managed IT services, cybersecurity, and IT support for businesses across the Northeast. Contact our team today to start a conversation about your technology environment.