Section 50 of said chapter 93 of the General Laws,  as appearing in the 2002 Official Edition, is hereby amended by inserting the following definitions:-

 “Breach”, any unauthorized acquisition of computerized data that compromises the security, and confidentiality, or integrity of personal information maintained by a data collector including, but not limited to, unauthorized photocopying, facsimiles, or other paper-based transmittal of documents.

“Data Collector”, any entity which, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates, or otherwise deals with nonpublic personal information, including, but not limited to government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators and businesses.

“Personal Information”, any information that identifies, relates to, describes, or is capable of being associated with a particular individual including, but not limited to, a name, signature, social security number, fingerprint, photograph or computerized image, physical characteristics or description, address, telephone number, passport number, driver's license or state identification care number, date of birth, medical information, bank account number, credit card number, debit card number, or any other financial information.

SECTION 2.   Chapter 93 is hereby amended by inserting after section 55 the following section:-

Section 55A. (a) Any data collector who owns or uses the personal information of any resident of the commonwealth shall notify the resident that there has been a breach of the security the personal information following discovery or notification of said breach, without regard for whether or not the data has or has not been accessed by an unauthorized third party for legal or illegal purposes. The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or with any measures necessary to determine the scope of the breach and restore the reasonable integrity security and confidentiality of the data system. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise impede a criminal investigation. For purposes of this section, ‘‘notice’’ to consumers may be written, electronic , or by substitute notice if the agency demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars or that the affected class of subject persons to be notified exceeds 500,000 or the agency does not have sufficient contact information. Substitute notice shall consist of a e-mail notice when the agency has an e-mail address for the subject persons, conspicuous posting of the notice on the agency’s web site page, if the agency maintains one and notification to major statewide media.