The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
The information provided in the map is meant to serve as a helpful guide and is not intended to be legal advice.
Massachusetts
Data Breach Notification Statute
Highlights
Covered Entities: A person (natural person, corporation, association, partnership, or other legal entity) and agency (any agency, executive office, department, board, commission, bureau, division or authority of Massachusetts, or any of its branches, or of any other political subdivision thereof) that owns or licenses personal information about a resident of Massachusetts.
Consumer Notification: When there is a breach of security of personal information.
Regulatory Notification: To the Massachusetts Attorney General and the Massachusetts Director of Consumer Affairs and Business Regulation.
Notification Timeline: As soon as practicable and without reasonable delay.
Data Format: Electronic, paper, or other.
Citations: Mass. Gen. Laws Ann. Ch. 93H, §§ 1-6.
More Details
Definitions:
- Breach: Breach of security means the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of Massachusetts.
- Personal Information (PI):
- A Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:
- Social Security number;
- Driver’s license number or state-issued identification card number; or
- Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.
- A Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:
- Medical Information: N/A
- Health Insurance Information: N/A
Safe Harbors:
- Encryption: Does not apply to encrypted electronic data when the confidential process or key is not acquired.
- Good Faith: A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.
- Risk of Harm: Notification is not required if a breach of security does not create a substantial risk of identity theft or fraud against a resident of Massachusetts.
- Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that provision of such notice may impede a criminal investigation and has notified the Massachusetts Attorney General, in writing, thereof and informs the person or agency that the notification will impede a criminal investigation or jeopardize homeland or national security.
Direct Notice:
- Timing: As soon as practicable and without unreasonable delay. Notification shall not be delayed on grounds that the total number of affected residents is not yet ascertained.
- Format: N/A
- Content: The notice to be provided to the resident shall include, but shall not be limited to:
- The resident’s right to obtain a police report;
- How a resident may request a security freeze and the necessary information to be provided when requesting the security freeze; and
- That there shall be no charge for a security freeze.
- Mitigation services to be provided but shall not include the nature of the breach of security or unauthorized acquisition or use, or the number of Massachusetts residents affected.
- The name of any parent or affiliated corporation, if any.
- Method: Written notice or electronic notice, if notice provided is consistent with the provisions regarding electronic records and signatures set forth in Electronic Signatures in Global and National Commerce Act, § 7001 (c) of Title 15 of the United States Code.
Substitute Notice:
The person or entity may rely on substitute notice, if the person or agency required to provide notice demonstrates that the cost of providing written notice will exceed $250,000, or that the affected class of Massachusetts residents to be notified exceeds 500,000 residents, or that the person or agency does not have sufficient contact information to provide notice. Substitute notice consists of all of the following: (1) electronic mail notice, if the person or agency has electronic mail addresses for the members of the affected class of Massachusetts residents; (2) clear and conspicuous posting of the notice on the home page of the person or agency if the person or agency maintains a website; and (3) publication in or broadcast through media or medium that provides notice throughout Massachusetts.
Remediation Services:
If a breach of security includes a social security number, each resident whose social security number was disclosed in the breach of security or is reasonably believed to have been disclosed in the breach of security shall be offered credit monitoring services at no cost to said resident for a period of not less than 18 months.
Regulatory Notice:
A person or entity that owns or licenses data that includes personal information about a resident of Massachusetts, shall provide notice, as soon as practicable and without unreasonable delay, when such person or agency (1) knows or has reason to know of a breach of security or (2) when the person or agency knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose, to the Massachusetts Attorney General and the Massachusetts Director of Consumer Affairs and Business Regulation. The notice to be provide to the Massachusetts Attorney General and said Director shall include, but not be limited to: (i) the nature of the breach of security or unauthorized acquisition or use; (ii) the number of residents of Massachusetts affected by such incident at the time of notification; (iii) the name and address of the person or agency that experienced the breach of security; (iv) name and title of the person or agency reporting the breach of security, and their relationship to the person or agency that experienced the breach of security; (v) the type of person or agency reporting the breach of security; (vi) the person responsible for the breach of security, if known; (vii) the type of personal information compromised, including, but not limited to, social security number, driver’s license number, financial account number, credit or debit card number or other data; (viii) whether the person or agency maintains a written information security program; and (ix) any steps the person or agency has taken or plans to take relating to the incident, including updating the written information security program. The person that experienced the breach of security shall certify that their credit monitoring services comply with the required offering of not less than 18 months credit monitoring services for incidents involving a breach of security of individuals’ social security numbers.
Credit Reporting Agencies Notice:
The Massachusetts Director of Consumer Affairs and Business Regulation shall identify any relevant consumer reporting agency, as deemed appropriate by said Director, and forward the names of the identified consumer reporting agencies to the notifying person or agency.
Third-Party Notice:
A person or agency that maintains or stores, but does not own or license data that includes personal information about a resident of Massachusetts, shall provide notice, as soon as practicable and without unreasonable delay, when such person or agency (1) knows or has reason to know of a breach of security or (2) when the person or agency knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose, to the owner or licensor in accordance with this Chapter. Additionally, such person or agency shall cooperate by informing the owner or license of the breach of security or unauthorized acquisition or use, the date or approximate date of the incident and nature thereof, and any steps the person or agency has taken or plans to take relating to the incident, except cooperation shall not include disclosure of confidential business information or trade secrets or to provide notice to a resident that may have been affected by the incident.
HIPAA:
Compliance with the chapter does not relieve a person or agency from its duty to comply with other requires of law relating to the protection and privacy of personal information. A person that maintains procedures for responding to a breach of security pursuant to federal laws, rules, regulations, guidance, or guidelines, is deemed to be in compliance with this chapter if the person notifies affected Massachusetts residents in accordance with those procedures and provides notice of the steps taken or to be taken to the Massachusetts Attorney General and the Massachusetts Director of Consumer Affairs and Business Regulation.
Private Action:
N/A
Associated Regulations:
- Information Security Standard (Mass. Gen. Laws Ann. Ch. 93I §§ 1-3)
Information Security Standard
Highlights
Covered Entities: Any person, corporation, association, partnership, or other legal entity that handles personal information under the statute.
First Party Security Standard: Any person, corporation, association, partnership, or other legal entity that handles personal information under the statute shall meet the following minimum standards for proper disposal of records containing personal information.
Third Party Security Standard: N/A
Disposal/Destruction Standard: When disposing of records, each agency or person shall meet the following minimum standards for proper disposal of records containing personal information:
- Paper documents containing personal information shall be either redacted, burned, pulverized or shredded so that personal data cannot practicably be read or reconstructed;
- Electronic media and other non-paper media containing personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed.
Any third party hired to dispose of material containing personal information shall implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation and disposal of personal information.
Data Format: Electronic and Paper.
Citations: M.G.L. c. 93H and 201 CMR 17.00.
More Details
Definitions:
- Personal Information (PI): A resident’s first name and last name or first initial and last name in combination with any one (1) or more of the following data elements:
- Social Security number;
- Driver’s license number or Massachusetts identification card number;
- Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number, or password that would permit access to a resident’s financial account; or
- A biometric indicator.
Methods of Compliance:
When disposing of records, each agency or person shall meet the following minimum standards for proper disposal of records containing personal information:
- Paper documents containing personal information shall be either redacted, burned, pulverized or shredded so that personal data cannot practicably be read or reconstruction;
- Electronic media and other non-paper media containing personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed.
Exclusions:
- Health Care: N/A
- Financial: N/A
- Other: N/A
Enforcement/Penalties:
Any agency or person who violates the provisions of this chapter shall be subject to a civil fine of not more than $100 per data subject affected, provided said fine shall not exceed $50,000 for each instance of improper disposal.
The Attorney General may file a civil action in the superior or district court in the name of the commonwealth to recover such penalties.
Associated Regulations:
N/A