Log in links for this page

Report a data breach

Learn how government employees, businesses, organizations, and people who live in Massachusetts can report a data breach.

The Breach Notification Law (M.G.L. c. 93H, s. 3) requires that a person or agency, including public and private entities, that maintains, stores, owns, or licenses data that includes personal information about a resident of the Commonwealth, shall provide notice as soon as practicable and without unreasonable delay, when such person or agency (1) knows or has reason to know of a breach of security or (2) when the person or agency knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose.

Table of Contents

How executive branch agencies report a data breach


Immediately report the breach to the EOTSS Security Operations Center.

The Breach Notification Law also requires executive branch agencies to notify: 

The individual Massachusetts resident(s) affected by the breach. 

Breach notices to EOTSS and the other government agencies listed above should include, but not be limited to: 

  • The nature of the breach of security or unauthorized acquisition or use;  
  • The number of residents of the commonwealth affected by such incident at the time of notification;  
  • The name and address of the person or agency that experienced the breach of security; 
  • Name and title of the person or agency reporting the breach of security, and their relationship to the person or agency that experienced the breach of security;  
  • The type of person or agency reporting the breach of security; 
  • The person responsible for the breach of security, if known;  
  • The type of personal information compromised, including, but not limited to, social security number, driver's license number, financial account number, credit or debit card number or other data;  
  • Whether the person or agency maintains a written information security program; and any steps the person or agency has taken or plans to take relating to the incident, including updating the written information security program. 

How businesses and other organizations report a data breach


Please refer to the notice and reporting requirements articulated by the Office of the Attorney General and the Office of Consumer Affairs and Business Regulation.

How Massachusetts residents report a data breach


If you are a Massachusetts resident affected by a breach and wish to notify the Attorney General’s Office, please call 617-727-8400 or file a consumer complaint online.

Contact

Online

Cybersecurity questions: CommonwealthCISO@mass.gov
Risk management questions: ERM@mass.gov
Report cybersecurity or data breach: eotss-soc@mass.gov

Address

McCormack Building
1 Ashburton Place, 8th Floor
Boston, MA 02108
Feedback