Blog Post

Blog Post Understanding a Financial Institution’s Data Breaches

2/21/2017

Office of Consumer Affairs and Business Regulation

The Commonwealth’s Data Breach Notification Law, Mass. General Law, Chapter 93H, requires businesses and other entities that own or license personal information of Massachusetts residents to notify the Office of Consumer Affairs and Business Regulation and the Office of the Attorney General when they know or have reason to know of a breach of security. They must also provide notice if they know or have reason to know that the personal information of a Massachusetts resident was acquired or used by an unauthorized person, or used for an unauthorized purpose.

In 2016, the Office of Consumer Affairs and Business Regulation received notice of 1,999 data breaches that affected 194,864 Massachusetts residents. Among the entities that experienced a breach were health care providers, town offices, and small retail stores. Banks, credit unions and other financial institutions accounted for a significant amount of the reported breaches.

However, it is important to understand that not every breach reported by a financial institution was a result of a breach within the financial institution’s control. In addition to the regular reporting requirements, the law also requires financial institutions to report when a debit or credit card they issue is compromised. This means a breach may have occurred at a retailer but if the consumer used their bank issued card, the financial institution reports the breach as well.

After a breach, it’s critical that the business/financial institution that experienced the breach:

Notify the Office of Consumer Affairs and Business Regulation and the Attorney General’s Office without unreasonable delay. The notification must include:
- A detailed description of the nature and circumstances of the breach of security or unauthorized acquisition or use of personal information;
- The number of Massachusetts residents affected as of the time of notification;
- The steps already taken relative to the incident;
- Any steps intended to be taken relative to the incident subsequent to notification; and
- Information regarding whether law enforcement is engaged investigating the incident.
Notify the consumers affected by the breach.
Develop or review their risk-based written information security program that takes into account their business’ size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security.
Ensure compliance with the computer system security requirements outlined in 201 CMR 17.00

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the Office of Consumer Affairs and Business Regulation. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback.

If you need assistance, please contact the Office of Consumer Affairs and Business Regulation.

Please let us know how we can improve this page.

Please remove any contact information or personal data from your feedback.

If you need assistance, please contact the Office of Consumer Affairs and Business Regulation.