Massachusetts Data Breach Law

By January 18, 2019Cyber Security, Data Breach

The Massachusetts Data Breach Notification Law requires businesses and others that own or license personal information of residents of Massachusetts to notify the Office of Consumer Affairs and Business Regulation and the Office of Attorney General when they know or have reason to know of a breach of security. They must also provide notice if they know or have reason to know that the personal information of a Massachusetts resident was acquired or used by an unauthorized person, or used for an unauthorized purpose. In addition to providing notice to government agencies, they must also notify the consumers whose information is at risk.

Definition Of Data Breach

A data breach is the unauthorized acquisition or use of sensitive personal information that creates a substantial risk of identity theft or fraud. Data breaches can be the result of criminal cyber-activity, such as hacking or ransomware, or because of employee error, such as emailing information to the wrong person.

Definition Of Personal Information

The law defines personal information as a resident’s first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to such resident:

(a) Social Security number;

(b) driver’s license number or state-issued identification card number; or

(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.

Personal information does not include information that can be legally obtained from publicly available sources, such as addresses or birthdays.

Requirements For Reporting Data Breach

Within a reasonable amount of time after either the discovery of a breach or knowledge that personal information was obtained, the business or entity that was breached must notify both the Office of Consumer Affairs and Business Regulation and the Attorney General’s Office of the breach.

The notification must include:

  • A detailed description of the nature and circumstances of the breach of security or unauthorized acquisition or use of personal information;
  • The number of Massachusetts residents affected as of the time of notification;
  • The steps already taken relative to the incident;
  • Any steps intended to be taken relative to the incident subsequent to notification; and
  • Information regarding whether law enforcement is engaged investigating the incident.

Some data breaches are a result of a breach from a third-party vendor or other entity. For example, in addition to the regular reporting requirements, the law also requires financial institutions to report when a debit or credit card they issue is compromised. This means a breach may have occurred at a retailer but if the consumer used their bank issued card, the financial institution reports the breach as well.

Source

If your business is presently or may soon be involved in data breach litigation in the United States, email us at info@businesslitigationcontingencylawyers.com or telephone us toll-free in the United States at 800-756-2143 to find business litigation contingency lawyers who may handle your data breach litigation matter on a contingency basis.

BusinessLitigationContingencyLawyers.com – The Practical Solution For Business Litigation