The Commonwealth’s Data Breach Security Law, Mass. General Law, Chapter 93H, has been in effect since October 31, 2007. The law requires businesses and others that own or license personal information of residents of Massachusetts to notify the Office of Consumer Affairs and Business Regulation and the Office of Attorney General when they know or have reason to know of a breach of security. They must also provide notice if they know or have reason to know that the personal information of a Massachusetts resident was acquired or used by an unauthorized person, or used for an unauthorized purpose. In addition to providing notice to government agencies, businesses or individuals that store or maintain personal information must notify the owner or licensor of the information if they know or have reason to know of such a breach, acquisition or use. See here for more information about requirements for businesses in reporting a security breach.

The following information is the number of data breach notifications that the Office has received since the notification law took effect. The below table also includes information about the number of Massachusetts residents affected by those data breaches.

Breaches and Residents Affected By Year


# of Breach Notifications

# of MA Residents Affected

2007 (Nov to Dec)308,499