Data Protection Impact Assessment (DPIA) - Massachusetts

DATA PROTECTION IMPACT ASSESSMENT (DPIA)

Commonwealth of Massachusetts

Prepared By: [________________________________]
Title: [________________________________]
Organization: [________________________________]
Date of Assessment: [__/__/____]
Assessment Version: [____]
Classification: ☐ Confidential ☐ Internal Use Only ☐ Restricted

CRITICAL COMPLIANCE NOTE: Massachusetts has one of the most prescriptive data security regulatory frameworks in the United States. The combination of M.G.L. c. 93H (breach notification) and 201 CMR 17.00 (mandatory Written Information Security Program -- WISP) creates obligations far more specific than the "reasonable security" standard found in most states. Any organization that owns or licenses personal information of Massachusetts residents must maintain a comprehensive WISP regardless of where the organization is located. Failure to comply can result in penalties of up to $5,000 per affected individual, AG enforcement actions under c. 93A, and significant reputational harm.

1. Project Overview

1.1 Project Identification

1.2 Project Description

Purpose and Objectives:
[________________________________]

Business Justification:
[________________________________]

Anticipated Duration: ☐ One-time project ☐ Ongoing operation ☐ Defined period: [____]

1.3 Massachusetts Nexus Analysis

☐ Organization owns personal information of Massachusetts residents
☐ Organization licenses personal information of Massachusetts residents
☐ Organization stores or maintains personal information of Massachusetts residents
☐ Organization otherwise receives personal information of Massachusetts residents
☐ Organization employs individuals in Massachusetts
☐ Organization is physically located in Massachusetts

PRACTITIONER NOTE: 201 CMR 17.00 applies to every person or entity that owns or licenses personal information about a Massachusetts resident. There is no size threshold, revenue threshold, or industry exemption. The regulation applies regardless of whether the organization is physically located in Massachusetts. This makes Massachusetts one of the most broadly applicable state data security regimes in the country.

2. Scope of Processing

2.1 Data Subjects

Identify all categories of individuals whose data is processed:

☐ Massachusetts resident customers/consumers
☐ Employees located in Massachusetts
☐ Remote employees who are Massachusetts residents
☐ Independent contractors
☐ Job applicants
☐ Website visitors
☐ Vendors/suppliers
☐ Minors (under 18)
☐ Other: [________________________________]

Estimated number of Massachusetts residents affected: [________________________________]

2.2 Categories of Personal Information

Personal Information under M.G.L. c. 93H, Section 1 (Breach Notification):

"Personal information" means a Massachusetts resident's first name and last name, or first initial and last name, in combination with any one or more of the following data elements:

☐ Social Security number
☐ Driver's license number or state-issued identification card number
☐ Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number, or password that would permit access to a resident's financial account

NOTE: Massachusetts has a narrower PI definition for breach notification purposes than many states. It does not include medical information, biometric data, or login credentials in the c. 93H definition. However, the 201 CMR 17.00 WISP requirement protects PI broadly.

Personal Information under 201 CMR 17.00 (WISP Requirement):

The regulation protects the same PI definition as c. 93H. The WISP must protect:

• First name or first initial + last name in combination with SSN, driver's license/state ID, or financial account number
• Both paper AND electronic records containing PI

2.3 Sensitive Data Considerations

☐ Social Security numbers (primary trigger for 201 CMR 17.00 obligations)
☐ Driver's license / state-issued ID numbers
☐ Financial account numbers / credit card numbers
☐ Health information (HIPAA overlay, c. 111 medical records)
☐ Employee personnel records
☐ Minor's data (COPPA obligations)
☐ Tax identification numbers
☐ Biometric data (not in c. 93H PI definition but may trigger other obligations)

2.4 Data Volume and Retention

2.5 Processing Activities

☐ Collection (direct from individual)
☐ Collection (from third parties)
☐ Storage/hosting (electronic)
☐ Storage (paper records)
☐ Analysis/profiling
☐ Sharing with affiliates
☐ Sharing with third-party service providers
☐ Transfer to other jurisdictions
☐ Printing/physical distribution
☐ Automated decision-making
☐ De-identification/anonymization
☐ Destruction/disposal
☐ Other: [________________________________]

3. Legal Basis and Massachusetts Law Overlay

3.1 Applicable Massachusetts Statutes and Regulations

A. M.G.L. c. 93H: Security Breaches (Breach Notification)

• Enacted: 2007; substantially amended August 2019 (effective April 11, 2019)
• Applicability: Any person or agency that owns or licenses data that includes personal information of a Massachusetts resident, or any person or agency that stores or maintains (but does not own or license) such data.
• Key 2019 Amendments:
• Expanded notification requirements
• Required specific content in breach notifications
• Required credit monitoring services
• Added AG/OCABR notification requirements

B. 201 CMR 17.00: Standards for the Protection of Personal Information

• Effective: March 1, 2010
• Authority: Promulgated under M.G.L. c. 93H
• Applicability: Every person that owns or licenses personal information about a resident of the Commonwealth
• Core Requirement: Develop, implement, and maintain a comprehensive Written Information Security Program (WISP) containing administrative, technical, and physical safeguards
• No Exemptions: No size, revenue, or industry exemptions. The regulation requires safeguards "consistent with safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated."

C. M.G.L. c. 93I: Security Freezes and Credit Monitoring

• Provides consumers the right to place security freezes on credit reports
• Requires entities to offer credit monitoring services following breaches

D. M.G.L. c. 93A: Consumer Protection Act

• Violations of c. 93H and 201 CMR 17.00 may constitute unfair or deceptive acts under c. 93A
• Private right of action available (treble damages)
• AG enforcement authority

E. M.G.L. c. 214, Section 1B: Right of Privacy

• Provides a general right of privacy that may overlay data protection obligations

3.2 Consumer Rights Assessment (Massachusetts)

4. Written Information Security Program (WISP) Compliance

4.1 201 CMR 17.00 -- Mandatory WISP Requirements

This is the most critical section of this DPIA for Massachusetts compliance. 201 CMR 17.00 requires every covered entity to maintain a comprehensive WISP. The WISP must be "reasonably consistent with industry standards" and appropriate to the size, scope, and type of business, the amount of resources available, the amount of stored data, and the need for security and confidentiality.

4.2 Administrative Safeguards (201 CMR 17.03)

4.3 Technical Safeguards (201 CMR 17.04)

MANDATORY technical security measures (to the extent technically feasible):

PRACTITIONER NOTE ON ENCRYPTION: Massachusetts is one of the few states that specifically mandates encryption of PI on portable devices and when transmitted across public networks. This is not a "reasonable measures" suggestion -- it is a regulatory requirement under 201 CMR 17.04. Failure to encrypt PI on a stolen laptop, for example, creates both a breach notification obligation AND a WISP compliance violation, potentially compounding liability.

4.4 Physical Safeguards

☐ Locked facilities, storage areas, or containers for paper records containing PI
☐ Visitor access controls for areas where PI is stored or processed
☐ Records containing PI stored in locked rooms or file cabinets when not supervised
☐ Clean desk policy for documents containing PI
☐ Secure disposal of paper records (cross-cut shredding minimum)
☐ Secure disposal of electronic media (NIST 800-88 compliant wiping or physical destruction)

4.5 WISP Document Compliance Assessment

5. Data Flow and Transfers

5.1 Data Flow Mapping

201 CMR 17.04 REMINDER: ALL transmissions of PI across public networks or wirelessly MUST be encrypted. Map every data flow involving PI and verify encryption status.

5.2 Third-Party Service Providers

201 CMR 17.03 requires: Oversight of third-party service providers by taking reasonable steps to select and retain service providers that are capable of maintaining appropriate security measures to protect PI consistent with 201 CMR 17.00 and any applicable federal regulations, and requiring such third-party service providers by contract to implement and maintain such appropriate security measures.

Third-Party Contractual Requirements Checklist:
☐ Contract requires service provider to implement appropriate security measures for PI
☐ Contract addresses encryption requirements for PI in transit and at rest
☐ Contract addresses data return/destruction upon termination
☐ Contract addresses breach notification obligations (service provider to data owner)
☐ Contract addresses employee training on PI protection
☐ Contract reviewed by MA-licensed counsel

5.3 Cross-Border Transfers

☐ Data remains within the United States
☐ Data transferred internationally -- specify jurisdictions: [________________________________]
☐ Encryption applied to all international transfers containing PI
☐ Transfer mechanisms in place: ☐ Standard Contractual Clauses ☐ Binding Corporate Rules ☐ Other

5.4 Paper Records

☐ Paper records containing PI identified and inventoried
☐ Locked storage for paper records (201 CMR 17.03 requirement)
☐ End-of-day lockup procedures for supervised areas
☐ Secure transport procedures for paper records containing PI
☐ Shredding procedures for PI document disposal

6. Risk Assessment

6.1 Risk Assessment (201 CMR 17.03 Requirement)

201 CMR 17.03 mandates that the WISP include identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of electronic, paper, or other records containing PI, and evaluation and improvement of the effectiveness of the current safeguards.

6.2 Threat Identification

6.3 Risk Rating Matrix

6.4 201 CMR 17.00 Gap Analysis

7. Mitigations and Residual Risk

7.1 Planned Mitigations

7.2 Testing and Validation

☐ Penetration test scheduled/completed: Date: [__/__/____]
☐ WISP annual review completed: Date: [__/__/____]
☐ 201 CMR 17.00 gap assessment completed
☐ Encryption verification for all portable devices containing PI
☐ Encryption verification for all PI transmissions across public networks
☐ Vendor contractual compliance review completed
☐ Employee training records verified current
☐ Breach notification tabletop exercise completed (including AG + OCABR notification)
☐ Paper record security audit completed
☐ Terminated employee access audit completed

7.3 Residual Risk Determination

Overall Residual Risk Rating: ☐ Low ☐ Medium ☐ High ☐ Critical

Decision: ☐ Accept residual risk ☐ Implement additional mitigations ☐ Block/do not proceed

Justification:
[________________________________]

8. Incident Response and Breach Notification

8.1 Massachusetts Breach Notification Requirements (M.G.L. c. 93H, Section 3)

Triggering Event: A breach of security -- the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of PI, maintained by a person or agency, that creates a substantial risk of identity theft or fraud against a Massachusetts resident.

Definition of Personal Information (M.G.L. c. 93H, Section 1):
First name and last name (or first initial and last name) in combination with:

• Social Security number
• Driver's license number or state-issued identification card number
• Financial account number, or credit/debit card number, with or without any required security code, access code, PIN, or password

Notification Requirements:

AG/OCABR Notice Content (c. 93H, Section 3):
Notice to the AG and OCABR must include:

• Nature of the breach of security or unauthorized acquisition or use
• Number of Massachusetts residents affected at time of notification
• Name and address of the person or agency experiencing the breach
• Name and title of the person responsible for such notification
• Relationship between the person or agency and the affected Massachusetts residents
• Person responsible for the breach (if known)
• Type of PI compromised (SSN, driver's license, financial account)
• Whether the person or agency maintains a WISP
• Steps taken or planned to address the breach
• Steps taken to assist affected residents
• Whether a law enforcement agency is investigating

Individual Notice Content (c. 93H, Section 3):
Notice to affected residents must include:

• Consumer's right to obtain a police report
• How to request a security freeze and associated fees
• Consumer's right to file a complaint with the FTC and AG
• Contact information for the FTC, AG, and credit reporting agencies

Credit Monitoring Requirements (c. 93H, Section 3):

8.2 Incident Response Plan

Phase 1: Detection and Initial Assessment (0-24 hours)
☐ Incident identified and logged
☐ Incident response team activated
☐ WISP coordinator notified
☐ Initial scope assessed: Is PI of Massachusetts residents involved?
☐ Evidence preservation initiated
☐ Legal counsel engaged (MA-licensed attorney)
☐ Determination: Is this a "breach of security" under c. 93H?
☐ Assess whether unencrypted PI was acquired or encrypted PI + key compromised

Phase 2: Investigation and Containment (24-72 hours)
☐ Full scope of breach determined
☐ Number of Massachusetts residents affected identified
☐ Specific categories of PI compromised (SSN, DL, financial account)
☐ Breach contained and systems secured
☐ Law enforcement notification (may request delay)
☐ Encryption status verified -- safe harbor analysis
☐ Substantial risk of identity theft or fraud assessed
☐ WISP compliance status documented (AG will ask)

Phase 3: Notification Preparation
☐ Draft AG notification (using AG's designated online portal format)
☐ Draft OCABR notification (parallel filing)
☐ Draft individual notification letter with all required content:
☐ Right to obtain police report
☐ How to request security freeze
☐ Right to file complaint with FTC and AG
☐ Contact information for FTC, AG, and CRAs
☐ Arrange credit monitoring services:
☐ SSN breach: 18 months minimum
☐ CRA breach: 42 months minimum
☐ Substitute notice evaluated if applicable

Phase 4: Notification Delivery
☐ AG notification submitted via designated portal: [__/__/____]
☐ OCABR notification submitted: [__/__/____]
☐ Individual notices mailed/sent: [__/__/____]
☐ Credit monitoring enrollment information provided
☐ Substitute notice deployed (if applicable)

Phase 5: Post-Incident Review (201 CMR 17.03(2)(h))
☐ Incident documented per 201 CMR 17.03 requirements
☐ Root cause analysis completed
☐ WISP updated based on lessons learned
☐ Training updated to address incident type
☐ Vendor contracts reviewed (if third-party breach)
☐ Annual WISP review schedule updated if needed

8.3 Penalties and Enforcement

8.4 Multi-Jurisdictional Coordination

☐ Identify all states where affected individuals reside
☐ Massachusetts notification timeline ("as soon as practicable") is among the most urgent
☐ Credit monitoring obligations unique to MA -- budget accordingly
☐ Federal law overlay analysis (GLBA, HIPAA, FERPA) completed
☐ Note: Massachusetts does not provide a GLBA/HIPAA exemption from c. 93H notification

9. Massachusetts-Specific Compliance Checklist

9.1 201 CMR 17.00 WISP Compliance Summary

9.2 Key Massachusetts Distinctions

9.3 Annual WISP Review Checklist

The following must be reviewed at least annually per 201 CMR 17.03(2)(g):

☐ Scope of security measures reviewed against current operations
☐ Risk assessment updated for new threats
☐ Employee training program assessed and updated
☐ Technical controls verified (firewalls, patches, antivirus, encryption)
☐ Access control lists reviewed and purged
☐ Vendor/service provider compliance verified
☐ Physical security measures assessed
☐ Incident response plan tested
☐ Terminated employee access procedures verified
☐ WISP document updated and re-approved
☐ Date of annual review: [__/__/____]
☐ Reviewer(s): [________________________________]

10. Approvals and Accountability

10.1 DPIA Review and Sign-Off

10.2 Review Schedule

☐ Annual review required (aligned with WISP annual review): Next review date: [__/__/____]
☐ Triggered review upon material change to processing
☐ Triggered review upon change to Massachusetts law or 201 CMR 17.00
☐ Triggered review upon security incident involving Massachusetts resident data
☐ Triggered review upon new vendor engagement involving MA PI

10.3 Decision

☐ APPROVED -- Processing may proceed subject to identified mitigations and WISP compliance
☐ CONDITIONALLY APPROVED -- Processing may proceed only after completion of: [________________________________]
☐ NOT APPROVED -- Processing may not proceed. Reason: [________________________________]

Decision Authority:

Name: [________________________________]
Title: [________________________________]
Date: [__/__/____]
Signature: [________________________________]

11. Attachments

☐ Written Information Security Program (WISP) -- current version
☐ 201 CMR 17.00 gap assessment report
☐ Data flow diagrams / system architecture
☐ Records of processing activities (ROPA) entry
☐ Vendor list and data processing agreements (with 201 CMR 17.03 contractual terms)
☐ Encryption inventory (portable devices and network transmissions)
☐ Breach notification templates (AG portal, OCABR, individual)
☐ Credit monitoring service provider agreement
☐ Employee training records and materials
☐ Annual WISP review documentation
☐ Penetration test / vulnerability assessment reports
☐ Data destruction certificates / procedures
☐ Risk assessment documentation

Sources and References

• M.G.L. c. 93H (Security Breaches): https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H
• 201 CMR 17.00 (Standards for Protection of Personal Information): https://www.mass.gov/regulations/201-CMR-1700-standards-for-the-protection-of-personal-information-of-residents-of-the-commonwealth
• Massachusetts AG Data Breach Reporting: https://www.mass.gov/how-to/report-a-data-breach
• M.G.L. c. 93A (Consumer Protection Act): https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93A
• Massachusetts OCABR: https://www.mass.gov/orgs/office-of-consumer-affairs-and-business-regulation
• M.G.L. c. 93I (Security Freezes): https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93I
• NIST Cybersecurity Framework: https://www.nist.gov/cyberframework