Report a data breach

ServiceNow for tech support & requests

This page, Report a data breach, is offered by
Cybersecurity and Enterprise Risk Management

The Breach Notification Law (M.G.L. c. 93H, s. 3) requires that a person or agency, including public and private entities, that maintains, stores, owns, or licenses data that includes personal information about a resident of the Commonwealth, shall provide notice as soon as practicable and without unreasonable delay, when such person or agency (1) knows or has reason to know of a breach of security or (2) when the person or agency knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose.

Skip table of contents

You skipped the table of contents section.

How executive branch agencies report a data breach

Immediately report the breach to the EOTSS Security Operations Center.

The Breach Notification Law also requires executive branch agencies to notify:

The Massachusetts Attorney General’s Office;
The Office of Consumer Affairs and Business Regulation;
The Secretary of State’s Public Records Division; and,

The individual Massachusetts resident(s) affected by the breach.

Breach notices to EOTSS and the other government agencies listed above should include, but not be limited to:

The nature of the breach of security or unauthorized acquisition or use;
The number of residents of the commonwealth affected by such incident at the time of notification;
The name and address of the person or agency that experienced the breach of security;
Name and title of the person or agency reporting the breach of security, and their relationship to the person or agency that experienced the breach of security;
The type of person or agency reporting the breach of security;
The person responsible for the breach of security, if known;
The type of personal information compromised, including, but not limited to, social security number, driver's license number, financial account number, credit or debit card number or other data;
Whether the person or agency maintains a written information security program; and any steps the person or agency has taken or plans to take relating to the incident, including updating the written information security program.

How businesses and other organizations report a data breach

Please refer to the notice and reporting requirements articulated by the Office of the Attorney General and the Office of Consumer Affairs and Business Regulation.

How Massachusetts residents report a data breach

If you are a Massachusetts resident affected by a breach and wish to notify the Attorney General’s Office, please call 617-727-8400 or file a consumer complaint online.

Additional Resources

Open file, Recovering from Identity Theft

Contact for Report a data breach

Online

For cybersecurity or risk management questions: Email Cybersecurity and Enterprise Risk Management at ERM@mass.gov

Address

McCormack Building

1 Ashburton Place, 8th Floor, Boston, MA 02108

Directions

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please Contact the Cybersecurity and Enterprise Risk Management. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback.

If you need assistance, please Contact the Cybersecurity and Enterprise Risk Management.

Please let us know how we can improve this page.