- Office of Attorney General Maura Healey
Media Contact for AG Healey Launches Online Data Breach Reporting Portal
Boston — Making it easier and more efficient to report data breaches that affect Massachusetts residents, Attorney General Maura Healey today launched a new Data Breach Reporting Online Portal, which businesses and organizations can use to provide notice to the AG’s Office as required by the Massachusetts Data Breach Notification Law.
The portal, available through the AG’s website, gives organizations the option of reporting data breaches online to the AG’s Office in lieu of delivering a hard copy notice.
“Data breaches are damaging, costly and put Massachusetts residents at risk of identity theft and financial fraud – so it’s vital that businesses come forward quickly after a breach to inform consumers and law enforcement,” said AG Healey. “This new feature allows businesses to more efficiently report data breaches so we can take action and share information with the public.”
Since November 2007, the AG’s Office has received notice of more than 21,000 breaches, with 3,821 breaches reported in 2017 affecting more than 3.2 million residents.
In September 2017, following a major data breach at credit reporting firm Equifax Inc., AG Healey filed the nation’s first enforcement action over the company’s failure to protect sensitive and personal information of nearly three million Massachusetts residents and also announced proposed legislation that will better protect consumers from data breaches.
The Massachusetts Data Breach Notification Law (M.G.L. c. 93H) requires any entity that owns or licenses a consumer’s personal information to notify affected Massachusetts residents, the Office of Consumer Affairs and Business Regulation (OCABR), and the AG’s Office any time personal information is accidentally or intentionally compromised.
Data breaches may occur due to intentional hacking or because of human error, such as sending an e-mail to the wrong person or losing a laptop. Institutions experiencing data breaches range from the largest, most sophisticated institutions in the state to small businesses with only one or two employees. While many breaches affect a relatively small number of consumers, many entities have experienced data breaches affecting large numbers of consumers.
The Massachusetts Data Breach Notification Law was enacted on Aug. 2, 2007, and since then the AG’s Office has been focused on making sure consumers receive proper and prompt notice when their information is put at risk by a data breach. Notification is important so that consumers can guard against harm, ranging from unauthorized use of a credit card to identity theft.
The use of the portal is voluntary and entities can still send written notice to the AG’s Office through mail. Use of the portal does not relieve an organization of its obligations under chapter 93H to also notify OCABR and affected Massachusetts residents.
A database that allows members of the public to view information online about reported data breaches is expected to be available on the AG’s website in the coming weeks. It will allow consumers to see which businesses have reported data breaches and when, as well as the estimated number of affected Massachusetts residents.
More information about the Massachusetts Data Breach Notification Law and an organization’s reporting obligations under that law (including sample notice forms) is available on the AG’s Guidance for Businesses on Security Breaches website.