Data breaches and cyber-attacks are damaging, costly, and put the personal information of Massachusetts residents at risk. It is extremely important that entities which own, license, store, maintain, or process the personal information of Massachusetts residents work to protect this sensitive information.
These breaches can occur due to intentional hacking or criminal cyber-attacks, or because of human error, such as sending an e-mail to the wrong person, or losing a laptop. Institutions experiencing data breaches range from the largest, most sophisticated institutions in the Commonwealth to small businesses with only one or two employees.
From January 1, 2010 through August 2011, the Attorney General’s Office received 1,166 notices of data breach, affecting nearly 2.1 million Massachusetts consumers. While many breaches affect a relatively small number of consumers, organizations have experienced many large data breaches affecting as many as 800,000 consumers.
The Attorney General’s Office works to both implement and enforce M.G.L. c. 93H, the Massachusetts Data Breach Notification Law. The Office is focused on making sure consumers receive proper notice that their information is at risk. Notification is important so that, depending on the circumstances, consumers can guard against harm, ranging from unauthorized use of a credit card to identity theft.
If your company or organization has experienced a data breach, there are important steps you must take.
Note: The following materials are provided for information purposes only to assist you in fulfilling your notice obligations pursuant to M.G.L. c. 93H, the law governing data breaches. This information should not be a substitute for assessing your notice obligations under M.G.L. c. 93H as notice obligations may vary on a case-by-case basis.
Pursuant to M.G.L. c. 93H, s. 3(b), if you own or license data that includes personal information of a Massachusetts resident, you are required to provide written notice as soon as practicable and without unreasonable delay to:
- The Attorney General (AGO);
- The Director of the Office of Consumer Affairs and Business Regulation (OCABR); and
- The affected Massachusetts resident
when you know or have reason to know (a) of a breach of security; or (b) that personal information of a Massachusetts resident was acquired by or used by an unauthorized person or used for an unauthorized purpose.
Notice to the AGO and OCABR
The notice to the Attorney General and the Director of Consumer Affairs and Business Regulation shall include, but not be limited to: (1) the nature of the breach of security or the unauthorized acquisition or use; (2) the number of Massachusetts residents affected by such incident at the time of notification; and (3) any steps the person or agency has taken or plans to take relating to the incident.
To assist you in this notification process, the AGO has prepared a sample letter outlining the minimum information that your notice should contain to the Attorney General. To download and view:
Executive Agency's Duty to Notify Information Technology Division and Division of Public Records
In addition, pursuant to M.G.L. c. 93H, s. 3(c), if any agency is within the executive department, it shall also provide written notification of the nature and circumstances of the breach or unauthorized acquisition or use to the information technology division and the division of public records. The agency shall provide this notice as soon as practicable and without unreasonable delay following the discovery of the breach of security or unauthorized acquisition or use.
Notice to Affected Massachusetts Residents
A person or agency that has experienced a breach of security or the unauthorized acquisition or use of personal information of Massachusetts residents must also provide notice to those affected Massachusetts residents. This notice shall include, but not be limited to:
1) the consumer's right to obtain a police report;
2) how a consumer requests a security freeze;
3) the necessary information to be provided when requesting the security freeze; and
4) any fees to be paid to any of the consumer reporting agencies, provided however, that the notification shall not include:
a) the nature of the breach or unauthorized acquisition or use; or
b) the number of Massachusetts residents affected by the security breach or the unauthorized access or use.
To assist you in this notification process, we have prepared a sample letter outlining the minimum information that your notice should contain to the affected Massachusetts resident(s). To download and view: