The State Organization Index provides an alphabetical listing of government organizations, including commissions, departments, and bureaus.
Top-requested sites to log in to services provided by the state
The Data Breach Notification Law requires businesses and others that own or license personal information of residents of Massachusetts to notify the Office of Consumer Affairs and Business Regulation and the Office of Attorney General when they know or have reason to know of a breach of security. They must also provide notice if they know or have reason to know that the personal information of a Massachusetts resident was acquired or used by an unauthorized person, or used for an unauthorized purpose. In addition to providing notice to government agencies, you must also notify the person(s) whose information is at risk.
A data breach is the unauthorized acquisition or use of sensitive personal information that creates a substantial risk of identity theft or fraud.
Data breaches can be the result of criminal cyber-activity, such as hacking or ransomware, or because of employee error, such as emailing information to the wrong person.
The law defines personal information as a resident's first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to such resident:
Personal information does not include information that can be legally obtained from publicly available sources, such as addresses or birthdays.
Within a reasonable amount of time after either the discovery of a breach or knowledge that personal information was obtained, the business or entity that was breached must notify both the Office of Consumer Affairs and Business Regulation and the Attorney General’s Office of the breach.
The notification must include:
It is important to understand that some breaches are a result of a breach from a third-party vendor or other entity. For example: In addition to the regular reporting requirements, the law also requires financial institutions to report when a debit or credit card they issue is compromised. This means a breach may have occurred at a retailer but if the consumer used their bank issued card, the financial institution reports the breach as well.
Every person that owns or licenses personal information about a resident of the Commonwealth must develop, implement, and maintain a comprehensive information security program
After a breach, it’s critical that the business that experienced the breach develop or review their risk-based written information security program that takes into account their business’ size, nature of their business, amount of resources, the type of records it maintains, and the need for security. A risk-based approach is especially important to small businesses that may not handle a lot of personal information about customers.
It can be difficult to understand how 201 CMR 17.00 applies to your business. We put together some of the most frequently asked questions to help.
9:00 a.m. - 4:30 p.m.