Requirements for Data Breach Notifications

A data breach is the unauthorized acquisition or use of sensitive personal information that creates a substantial risk of identity theft or fraud.

Data breaches can be the result of criminal cyber-activity, such as hacking or ransomware, or because of employee error, such as emailing information to the wrong person.

The law defines personal information as a resident's first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to such resident:

• (a) Social Security number;
• (b) driver's license number or state-issued identification card number; or
• (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account.

Personal information does not include information that can be legally obtained from publicly available sources, such as addresses or birthdays.  

Within a reasonable amount of time after either the discovery of a breach or knowledge that personal information was obtained, the business or entity that was breached must notify both the Office of Consumer Affairs and Business Regulation and the Attorney General’s Office of the breach.

The notification must include:

• A detailed description of the nature and circumstances of the breach of security or unauthorized acquisition or use of personal information;
• The number of Massachusetts residents affected as of the time of notification;
• The steps already taken relative to the incident;
• Any steps intended to be taken relative to the incident subsequent to notification; and
• Information regarding whether law enforcement is engaged investigating the incident.

It is important to understand that some breaches are a result of a breach from a third-party vendor or other entity. For example: In addition to the regular reporting requirements, the law also requires financial institutions to report when a debit or credit card they issue is compromised. This means a breach may have occurred at a retailer but if the consumer used their bank issued card, the financial institution reports the breach as well.

Every person that owns or licenses personal information about a resident of the Commonwealth must develop, implement, and maintain a comprehensive information security program.

After a breach, it’s critical that the business that experienced the breach develop or review their risk-based written information security program that takes into account their business’ size, nature of their business, amount of resources, the type of records it maintains, and the need for security. A risk-based approach is especially important to small businesses that may not handle a lot of personal information about customers. 

Organizations that experience a breach must report whether they have a WISP to the Office of Consumer Affairs and Business Regulation and the Attorney General's Office. 

The Office of Consumer Affairs and Business Regulation has compiled this checklist to help small businesses in their effort to comply with 201 CMR 17.00. This checklist is not a substitute for compliance with 201 CMR 17.00. Rather, it is designed as a useful tool to aid in the development of a written information security program for a small business or individual that handles “personal information.” Each item, presented in question form, highlights a feature of 201 CMR 17.00 that will require proactive attention in order for a plan to be compliant.

The Comprehensive Written Information Security Program (WISP)

• Do you have a comprehensive, written information security program (“WISP”) applicable to all records containing personal information about a resident of the Commonwealth of Massachusetts (“PI”)?
• Does the WISP include administrative, technical, and physical safeguards for PI protection?
• Have you designated one or more employees to maintain and supervise WISP implementation and performance?
  Have you identified the paper, electronic and other records, computing systems, and storage media, including laptops and portable devices that contain personal information?
• Have you chosen, as an alternative, to treat all your records as if they all contained PI?
• Have you identified and evaluated reasonably foreseeable internal and external risks to paper and electronic records containing PI?
• Have you evaluated the effectiveness of current safeguards?
• Does the WISP include regular ongoing employee training, and procedures for monitoring employee compliance?
• Does the WISP include disciplinary measures for violators?
• Does the WISP include policies and procedures for when and how records containing PI should be kept, accessed or transported off your business premises?
• Does the WISP provide for immediately blocking terminated employees, physical and electronic access to PI records (including deactivating their passwords and user names)?
• Have you taken reasonable steps to select and retain a third-party service provider that is capable of maintaining appropriate security measures consistent with 201 CMR 17.00?
• Have you required such third-party service provider by contract to implement and maintain such appropriate security measures?
• Is the amount of PI that you have collected limited to the amount reasonably necessary to accomplish your legitimate business purposes, or to comply with state or federal regulations?
• Is the length of time that you are storing records containing PI limited to the time reasonably necessary to accomplish your legitimate business purpose or to comply with state or federal regulations?
• Is access to PI records limited to those persons who have a need to know in connection with your legitimate business purpose, or in order to comply with state or federal regulations?
• In your WISP, have you specified the manner in which physical access to PI records is to be restricted?
• Have you stored your records and data containing PI in locked facilities, storage areas or containers?
• Have you instituted a procedure for regularly monitoring to ensure that the WISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of PI; and for upgrading it as necessary?
• Are your security measures reviewed at least annually, or whenever there is a material change in business practices that may affect the security or integrity of PI records?
• Do you have in place a procedure for documenting any actions taken in connection with any breach of security; and does that procedure require post-incident review of events and actions taken to improve security?

Additional Requirements for Electronic Records

• Do you have in place secure authentication protocols that provide for:
  • Control of user IDs and other identifiers?
  • A reasonably secure method of assigning/selecting passwords, or for use of uniqueidentifier technologies (such as biometrics or token devices)?
  • Control of data security passwords such that passwords are kept in a location and/orformat that does not compromise the security of the data they protect?
  • Restricting access to PI to active users and active user accounts?
  • Blocking access after multiple unsuccessful attempts to gain access?
• Do you have secure access control measures that restrict access, on a need-to-know basis, to PI records and files?
• Do you assign unique identifications plus passwords (which are not vendor supplied default passwords) to each person with computer access; and are those IDs and passwords reasonably designed to maintain the security of those access controls?
• Do you, to the extent technically feasible, encrypt all PI records and files that are transmitted across public networks, and that are to be transmitted wirelessly?
• Do you, to the extent technically feasible, encrypt all PI stored on laptops or other portable devices?
• Do you have monitoring in place to alert you to the occurrence of unauthorized use of or access to PI?
• On any system that is connected to the Internet, do you have reasonably up-to-date firewall protection for files containing PI; and operating system security patches to maintain the integrity of the PI?
• Do you have reasonably up-to-date versions of system security agent software (including malware protection) and reasonably up-to-date security patches and virus definitions?
• Do you have in place training for employees on the proper use of your computer security system, and the importance of PI security?

FAQs regarding data breach notifications and changes to the Data Breach Notification Law, M.G.L. Chapter 93H, through Chapter 444 of the Acts of 2018

What is the effective date of this law?
It was signed by the Governor on January 10, 2019 and takes effect 90 days later onApril 10, 2019.

Where can I find the new law?
The law is available online: Data Breach Notification Law, M.G.L. Chapter 93H, through Chapter 444 of the Acts of 2018  

What is the current law?
Chapter 93H required that a person or agency that owns or licenses data that includes personal information about a resident of the commonwealth, shall provide notice, as soon as practicable and without unreasonable delay, when such person or agency (1) knows or has reason to know of a breach of security or (2) when the person or agency knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose, to the Attorney General, to the Office of Consumer Affairs and Business Regulation (OCABR)and to the affected resident(s).

The notice to be provided to the Attorney General and the OCABR must include, but not be limited to, the nature of the breach of security or unauthorized acquisition or use, the number of residents of the commonwealth affected by such incident at the time of notification, and any steps the person or agency has taken or plans to take relating to the incident.

What changes were made by Chapter 444 of the Acts of 2018 which amends Chapter 93H?
Beginning April 10, 2019, the notice provided to the Attorney General and the OCABR must include, in addition to the nature of the breach and number of MA residents, the following information:

• the name and address of the person or agency that experienced the breach of security;
• name and title of the person or agency reporting the breach of security;
• their relationship to the person or agency that experienced the breach of security;
• the type of person or agency reporting the breach of security; the person responsible for the breach of security, if known;
• the type of personal information compromised, including, but not limited to, social security number, driver’s license number, financial account number, creditor debit card number or other data;
• whether the person or agency maintains a WISP (written information security program); and
• any steps the person or agency has taken or plans to take relating to the incident, including whether they have updated the written information security program.

If the Social Security number of a MA resident has been compromised by the data breach that is being reported, what additional steps does the person or agency that experienced the breach have to take?
Under the new section 3A that was added to Chapter 93H, if a Social Security number of a MA resident has been compromised, the person or agency that experienced the breach must offer free credit monitoring services to the MA residents for 18 months through a third party vendor. If the person or agency that hasexperienced a breach of security is a consumer reporting agency, then the consumerreporting agency must offer free credit monitoring services to the MA residents for atleast 42 months through a third party vendor.

If a MA resident’s Social Security number was not compromised in the data breach being reported, is the person or agency that experienced the breach required to offer or provide any type of free credit monitoring services?
No. There is no requirement that the person or agency provide credit monitoring services to MA residents.

How does a MA resident whose Social Security number has been compromised signup for the free credit monitoring services being offered by the person or agency that experienced the breach?
The person or agency must provide all the information necessary for the MA resident to enroll in credit monitoring services as well as information on how the resident may place a security freeze on the their consumer credit report at no cost in the notice provided to the consumer.

What other steps must the person or agency take when a resident’s Social Security number has been compromised and they have fulfilled all of the above?
A person or agency who experienced a breach of security must also file a report with the Attorney General and the OCABR certifying that their credit monitoring services comply with the requirements of section 3A of Chapter 93H.

Does this report have to be filed separately from the data breach notification?
No. The person or agency that experienced the breach may include that acknowledgment with the notification filed with the OCABR. Reporting entities may provide the OCABR with notification by mail, email or by filing online using the Office’s reporting portal. 

In exchange for offering credit monitoring services to the resident, can the person or agency that experienced the data breach require the resident to sign a waiver prohibiting that consumer resident from taking legal action against the person or agency relating to the data breach?
No. A resident cannot be required by the person or agency that experienced the data breach to waive their private right of action as a condition of being offered the free credit monitoring services. This is true whether or not the person or agency is offering the free credit monitoring services because they are required to under section 3A of Chapter 93H or they are opting to do so as a gesture of good will to offset the harm of the data breach.

Were any other changes made to the notice to be provided to the MA resident by the person or agency that experienced the data breach?
Yes. The law has always required that the notice to be provided to the resident must include the resident’s right to obtain a police report, how a resident may request a security freeze and the necessary information to be provided when requesting the security freeze. The notice to the resident shall not, however, include the nature of the breach of security or unauthorized acquisition or use, or the number of residents affected by said breach of security or unauthorized access or use.

Pursuant to both federal and state law, the notice must now also include that there shall be no charge for a security freeze and, after April 10, 2019, what, if any, mitigation services will be provided to the resident.

What if the person or agency that experienced the data breach is owned by another person or corporation?
The notice to the consumer must include the name of the parent corporation or the affiliated corporation.

Who else must receive a copy of the notice sent to the MA resident?
The person or agency that experienced the breach of security must provide a sample copy of the notice it sent to the MA residents to the Attorney General and the OCABR. Even if the number of residents affected by the breach is not known, the filing of the sample notice must be provided with the breach notification.

Does the person or agency that experienced a breach need to submit a data breach notification or provide the notice to consumers if information about the breach is unknown?
Yes. The breach notification should be reported to the OCABR as soon as practicable and without any unreasonable delay. As additional information about the breach is discovered, the person or agency that experienced the breach shall provide updates inboth the notification to the OCABR and to the consumer.

What is the Office of Consumer Affairs and Business Regulation required to do with these sample notices that are sent to the MA residents?
The Office must post on its website a copy of each of these notices within 1 business day of receipt from the person that experienced the data breach.

The OCABR reminds reporting persons or agencies to ensure that the sample copy of the notice sent to the consumers and provided to OCABR does not include any personal information of the consumer resident.

Once an organization is aware of the data breach it should begin notifying affected consumers, even if the total number of residents affected has not yet been determined. The notices should be sent or updated on a rolling and continuous basis. 

In accordance with MA law, the notification to affected Massachusetts residents must be posted on the Office of Consumer Affairs and Business Regulation's website. 

The notice to affected consumer should include:

• Consumer's right to obtain a police report
• Information on how to request a security freeze at no charge 
• Information needed to request a security freeze 
• Information on complimentary credit monitoring services
• Name of the parent organization and subsidiary organizations affected

The notice to affected consumer should NOT include:

• The nature of the breach or unauthorized acquisition or use 
• The number of Massachusetts residents affected by the security breach or the unauthorized access or use