How executive branch agencies report a data breach
Immediately report the breach to the EOTSS Security Operations Center.
The Breach Notification Law also requires executive branch agencies to notify:
- The Massachusetts Attorney General’s Office;
- The Office of Consumer Affairs and Business Regulation;
- The Secretary of State’s Public Records Division; and,
The individual Massachusetts resident(s) affected by the breach.
Breach notices to EOTSS and the other government agencies listed above should include, but not be limited to:
- The nature of the breach of security or unauthorized acquisition or use;
- The number of residents of the commonwealth affected by such incident at the time of notification;
- The name and address of the person or agency that experienced the breach of security;
- Name and title of the person or agency reporting the breach of security, and their relationship to the person or agency that experienced the breach of security;
- The type of person or agency reporting the breach of security;
- The person responsible for the breach of security, if known;
- The type of personal information compromised, including, but not limited to, social security number, driver's license number, financial account number, credit or debit card number or other data;
- Whether the person or agency maintains a written information security program; and any steps the person or agency has taken or plans to take relating to the incident, including updating the written information security program.
How businesses and other organizations report a data breach
Please refer to the notice and reporting requirements articulated by the Office of the Attorney General and the Office of Consumer Affairs and Business Regulation.
How Massachusetts residents report a data breach
If you are a Massachusetts resident affected by a breach and wish to notify the Attorney General’s Office, please call 617-727-8400 or file a consumer complaint online.