Requirements for Data Breach Notifications

A data breach is the unauthorized acquisition or use of sensitive personal information that creates a substantial risk of identity theft or fraud.

Data breaches can be the result of criminal cyber-activity, such as hacking or ransomware, or because of employee error, such as emailing information to the wrong person.

The law defines personal information as a resident's first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to such resident:

• (a) Social Security number;
• (b) driver's license number or state-issued identification card number; or
• (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account.

Personal information does not include information that can be legally obtained from publicly available sources, such as addresses or birthdays.  

Within a reasonable amount of time after either the discovery of a breach or knowledge that personal information was obtained, the business or entity that was breached must notify both the Office of Consumer Affairs and Business Regulation and the Attorney General’s Office of the breach.

The notification must include:

• A detailed description of the nature and circumstances of the breach of security or unauthorized acquisition or use of personal information;
• The number of Massachusetts residents affected as of the time of notification;
• The steps already taken relative to the incident;
• Any steps intended to be taken relative to the incident subsequent to notification; and
• Information regarding whether law enforcement is engaged investigating the incident.

It is important to understand that some breaches are a result of a breach from a third-party vendor or other entity. For example: In addition to the regular reporting requirements, the law also requires financial institutions to report when a debit or credit card they issue is compromised. This means a breach may have occurred at a retailer but if the consumer used their bank issued card, the financial institution reports the breach as well.

Every person that owns or licenses personal information about a resident of the Commonwealth must develop, implement, and maintain a comprehensive information security program.

After a breach, it’s critical that the business that experienced the breach develop or review their risk-based written information security program that takes into account their business’ size, nature of their business, amount of resources, the type of records it maintains, and the need for security. A risk-based approach is especially important to small businesses that may not handle a lot of personal information about customers. 

Organizations that experience a breach must report whether they have a WISP to the Office of Consumer Affairs and Business Regulation and the Attorney General's Office. 

Once an organization is aware of the data breach it should begin notifying affected consumers, even if the total number of residents affected has not yet been determined. The notices should be sent or updated on a rolling and continuous basis. 

In accordance with MA law, the notification to affected Massachusetts residents must be posted on the Office of Consumer Affairs and Business Regulation's website. 

The notice to affected consumer should:

Include

• Consumer's right to obtain a police report
• Information on how to request a security freeze at no charge 
• Information needed to request a security freeze 
• Information on complimentary credit monitoring services
• Name of the parent organization and subsidiary organizations affected

NOT include

• The nature of the breach or unauthorized acquisition or use 
• The number of Massachusetts residents affected by the security breach or the unauthorized access or use