Where a person who owns or licenses personal information knows or has reason to know (1) of a security breach, or (2) that the personal information of a Massachusetts resident was acquired or used by an unauthorized person or for an unauthorized purpose, that person must notify the Attorney General and the Office of Consumer Affairs and Business Regulation of that breach or unauthorized acquisition or use.

A "security breach" is defined in the law as "the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure."

"Personal information" is defined in the law as "a resident's first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account." Excluded from "personal information" is information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public."

The notifications to the Office of Consumer Affairs and Business Regulation and to the Attorney General must include:

  • A detailed description of the nature and circumstances of the breach of security or unauthorized acquisition or use of personal information;
  • The number of Massachusetts residents affected as of the time of notification;
  • The steps already taken relative to the incident;
  • Any steps intended to be taken relative to the incident subsequent to notification; and
  • Information regarding whether law enforcement is engaged investigating the incident.