Massachusetts Security Breaches
MGL c. 93H, § 1 - § 6
SUMMARY:
EFFECTIVE. October 31, 2007
WHO DOES THIS LAW APPLY TO. (1) Any person, business, or agency (including State agencies or political subdivisions) that and owns or licenses data that includes Personal Information on State residents; and (2) any person, business or agency maintaining data on State residents which includes Personal Information.
WHAT IS A BREACH. An unauthorized acquisition or use of encrypted or unencrypted data and the confidential process or key that may compromise the security, integrity or confidentiality of Personal Information maintained by a person, business or agency which creates a substantial risk of identity theft or fraud for a Massachusetts resident. A good faith acquisition of Personal Information by an employee or agent of the owner for lawful internal purposes only is not a breach if it is not used for, or subject to, further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements:
-
Social Security Number.
-
Driver’s license number or State identification card number.
-
Account number, credit card or debit card number in with or without any required security code, access code, or password that would permit access to the individual’s financial account.
Personal Information does not include publicly available information, or information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the Massachusetts resident(s) affected, the State Attorney General (“Attorney General”), the Director of Consumer Affairs and Business Regulation and consumer reporting agencies or state agencies. The names of appropriate consumer reporting and state agencies to be notified will be provided to the owner or licensor of the data by the Director of Consumer Affairs and Business Regulation.
The notice to the Attorney General, the Director and consumer reporting and state agencies shall include the:
-
Nature of the breach.
-
Number of Massachusetts residents affected.
-
Steps taken or planned regarding the breach incident.
-
Name and title of the person or agency that experienced the breach of security.
-
The type of person or agency reporting the breach of security.
-
The person responsible for the breach of security, if known.
-
The type of personal information compromised, including, but not limited to, social security number, driver’s license number, financial account number, credit or debit card number or other data.
-
Whether the person or agency maintains a written information security program.
-
Any steps the person or agency has taken or plans to take relating to the incident, including updating the written information security program.
The notice to the affected Massachusetts residents shall include but is not limited to:
-
The individual’s right to obtain a police report.
-
How to request a security freeze and the required information. Pursuant to the 2019 amendment, such fees to place, lift, or remove security freezes in Massachusetts to residents affected by a breach is now without charge.
-
Free credit monitoring services for not less than 18 months, for Social Security Number breaches.
The notices to affected Massachusetts residents may not include the following:
-
Nature of the breach.
-
Number of Massachusetts residents involved.
If the breach occurs by an agency within the executive department, it is required to provide written notice of the nature of the breach to the divisions of Information Technology and Public Records.
EXCEPTION. This Section does not apply to the following:
-
A person, business or agency that is regulated by State or Federal law and maintains procedures for a security breach pursuant to the State or Federal laws or rules, is considered in compliance with this Section if the affected Massachusetts individuals are notified in accordance with such laws or rules and notice is provided to the Attorney General and the Director of the Office of Consumer Affairs and Business. The notice to the Attorney General and the Director shall include any steps taken or related plans regarding the breach.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent as soon as practicable, and without reasonable delay, when the person, business, or agency first becomes aware of an incident of unauthorized acquisition. Notification may be delayed if it will impede a criminal investigation, such delay is requested by law enforcement, and law enforcement has notified the State Attorney General in writing. In that instance, notification will be made as soon as possible following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Electronic (if it consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person, agency, or business can demonstrate that the cost of providing notice will exceed $250,000, the affected class of Massachusetts persons to be notified exceeds 500,000, or the person, business or agency has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person or business has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person, agency, or business if a website is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person, business, or agency maintains data that includes Personal Information that it does not own, then the person, business, or agency shall notify and cooperate with the owner or licensor as soon as possible and without unreasonable delay following discovery of the breach. Such cooperation includes but is not limited to:
-
Notification of the breach to the owner or licensor.
-
Date (or approximate date) of the breach incident.
-
Nature of the breach.
-
Steps taken and future plans regarding handling of the breach.
Cooperation does not include disclosure of confidential business or trade secret information. The person, business or agency that owns or licenses the data shall provide notice to the affected Massachusetts resident(s) and others required in this Section.
CONSEQUENCES FOR FAILING TO NOTIFY. The State Attorney General may bring an action for any violations to this Section, and for other relief it considers appropriate.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES. Every person that owns or licenses personal information about a resident of the Commonwealth must develop, implement, and maintain a comprehensive information security program.
After a breach, it’s critical that the business that experienced the breach develop or review their risk-based written information security program that takes into account their business’ size, nature of their business, amount of resources, the type of records it maintains, and the need for security. A risk-based approach is especially important to small businesses that may not handle a lot of personal information about customers.
Organizations that experience a breach must report whether they have a WISP to the Office of Consumer Affairs and Business Regulation and the Attorney General's Office.
DATA DISPOSAL PROVISIONS. MGL c. 93I, § 2. When disposing of records, each agency or person shall meet the following minimum standards for proper disposal of records containing personal information: (a) paper documents containing personal information shall be either redacted, burned, pulverized or shredded so that personal data cannot practicably be read or reconstructed; (b) electronic media and other non-paper media containing personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed. Any agency or person disposing of personal information may contract with a third-party to dispose of personal information. Any third-party hired to dispose of material containing personal information shall implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation, and disposal of personal information. Any violation shall be subject to a civil fine of not more than $100 per data subject affected, provided said fine shall not exceed $50,000 for each instance of improper disposal. The attorney general may file a civil action in the superior or district court in the name of the commonwealth to recover such penalties.
LEGISLATIVE UPDATES.
H.B. 4144 – Signed into law on 8/3/2007, Effective 10/31/2007.
H.B. 4806 – Signed into law on 1/10/2019, Effective 4/11/2019.
For more information, see here: https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H
AND
https://www.mass.gov/regulations/201-CMR-1700-standards-for-the-protection-of-personal-information-of-ma-residents
AND
https://www.mass.gov/info-details/requirements-for-data-breach-notifications
AND
https://www.mass.gov/regulations/201-CMR-1700-standards-for-the-protection-of-personal-information-of-residents-of-the-commonwealth
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.