Information Covered / Important Definitions
Personal information of Massachusetts residents.
Definition includes financial account number or credit/debit card number with or without any required security or access code or password that would permit access to a resident’s financial account.
“Security Breach” means unauthorized acquisition or unauthorized use of unencrypted data, or of encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a Massachusetts resident.
“Data” means any material upon which written, drawn, spoken, visual or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.
“Encrypted” means the transformation of data through the use of a 126-bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key.
Covered Entities* / Third Party Recipients
Subject to statute:
A person that owns or licenses data that includes personal information about a Massachusetts resident.
Every person or legal entity that owns, licenses, stores or maintains personal information about a Massachusetts resident.
Third party recipients:
A person that maintains or stores but does not own or license data that includes personal information about a Massachusetts resident must provide notice of a security breach to the owner or licensor of the data as soon as practicable and without unreasonable delay and also cooperate thereafter.
Covers third-party service providers with access to personal information.
Notice Procedures & Timing / Other Obligations
Written or electronic notice must be provided to victims of a security breach as soon as practicable and without unreasonable delay after the covered entity discovers or is notified of a security breach, unless a law enforcement agency determines that the notification will impede a criminal investigation and has notified the Attorney General in writing of such determination (in which case notification is delayed until authorized by law enforcement agency).
Entities cannot delay notifications required “on the grounds that the total number of residents affected is not yet ascertained.”
Notice content is specifically set forth in the statute.
Notice to AG/OCABR:
The notice shall include, but not be limited to:
- the nature of the breach of security or unauthorized acquisition or use;
- the number of residents of MA affected by such incident at the time of notification;
- the name and address of the person or agency that experienced the breach of security;
- the name and title of the person or agency reporting the breach of security, and their relationship to the person or agency that experienced the breach of security;
- the type of person or agency reporting the breach of security;
- the person responsible for the breach of security, if known;
- the type of personal information compromised, including, but not limited to, social security number, driver’s license number, financial account number, credit or debit card number or other data;
- whether the person or agency maintains a written information security program; and
- any steps the person or agency has taken or plans to take relating to the incident, including updating the written information security program.
- certification that credit monitoring services comply with the law’s requirements for providing credit monitoring to individuals if social security numbers are affected.
Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 500,000 persons, or covered entity does not have sufficient contact information.
Notice only required after a security breach that causes substantial risk of identity theft or fraud or after a covered entity has reason to know that the personal information of a Massachusetts resident was acquired by an unauthorized person or used for an unauthorized purpose.
The regulations require the development, implementation and maintenance of a comprehensive information security program consistent with industry standards and state or federal regulations applicable to the covered entity with respect to owning or licensing personal information.
See 201 CMR 17.00 for a detailed description of content requirements and technology requirements for the comprehensive information security program - click here.
The sufficiency of a comprehensive information security program will be evaluated by taking into account (i) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program, (ii) the amount of resources available to such person, (iii) the amount of stored data, and (iv) the need for security and confidentiality of both consumer and employee information.
Requires entities to collect and store the minimum amount of personal information necessary to accomplish the legitimate purpose for which it was collected, and requires entities to restrict access to the personal information to the smallest possible number of users.
Credit monitoring: If SSNs are compromised, the breached entity must contract with a third party to provide affected individuals with no less than 18 months of credit monitoring services (42 months if the affected entity is a consumer reporting agency)
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen or accessed by an unauthorized individual is encrypted and the process or key that is capable of unlocking the data has not been compromised.
The regulations require the encryption of all transmitted records and files containing personal information, including those in wireless environments, which will travel across public networks.
For files containing personal information on a system that is connected to the Internet, there must be firewall protection with up-to-date patches, including operating system security patches.
Covered entity is deemed in compliance with the Massachusetts statute if it maintains and complies with procedures for responding to a breach of security pursuant to federal laws and regulations provided the covered entity notifies the Attorney General and the Director of the Office of Consumer Affairs and Business Regulation of the security breach as soon as practicable and without unreasonable delay following discovery of the security breach. Notice must describe the steps to be taken.
Exemption for good faith acquisition of personal information by an employee or agent of a covered entity for the lawful purposes of the covered entity so long as personal information is not used in an unauthorized manner or subject to further unauthorized disclosure.
Notification to Regulator / Waiver
Attorney General and Office of Consumer Affairs and Business Regulation (“OCABR”) must be separately notified of a security breach as soon as practicable after becoming aware of security breach.
Notice to the OCABR must be submitted through an online portal – click here.
Notice to AG may either be by letter or through an online portal – click here.
Notice to regulators may be required even in cases where security breach involves encrypted data. Covered entity must be able to determine that the key or confidential process has not been compromised.
The covered entity must also provide notice to any consumer reporting agencies and state agencies identified by the OCABR.
A determination of no likelihood of harm:
Does not require notification to Attorney General.
Attorney General may bring an action under Chapter 93A, the Commonwealth’s consumer protection statute. Chapter 93A permits the imposition of significant fines, injunctive relief and attorneys’ fees
A civil penalty of $5,000 may be awarded for each violation (see 93A § 4).
Businesses can be subject to a fine of up to $50,000 for each instance of improper disposal of data (see 93I §2).
Private Cause of Action / Enforcement
Private Cause of Action: Potentially.
If Attorney General finds violation of consumer protection laws for unfair or deceptive acts or practices, Massachusetts consumers may seek damages under Chapter 93A, which, in some cases, may be trebled.
The OCABR has launched a web-based public archive of data breaches affecting Massachusetts residents: click here.
Upon receipt of notice, the director of the OCABR shall report the incident publicly on its website and make available electronic copies of the sample notice sent to consumers on its website.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.