Massachusetts Data Breach Notification Law

Notification deadline: As soon as practicable and without unreasonable delay

Enforcement: Massachusetts Attorney General, Office of Consumer Affairs

Overview

Massachusetts has some of the most comprehensive data security requirements in the nation. Beyond breach notification, the 201 CMR 17.00 regulations mandate a written information security program (WISP) for any business handling Massachusetts residents' personal information.

Who Must Be Notified

• • Affected Massachusetts residents
• • Massachusetts Attorney General (always, regardless of number affected)
• • Director of Consumer Affairs and Business Regulation

Covered Data Types

Social Security number, Driver's license number, State ID number, Financial account number with access code, Credit/debit card number

Notification Requirements

• • Written notice to affected individuals
• • Include description of breach and data types involved
• • Steps taken to address breach
• • Must notify AG and Director of Consumer Affairs (specific form required)
• • Cannot include description of security measures in notification
• • Credit monitoring must be offered if SSN exposed

Exemptions

• • Encrypted data (if key not compromised)
• • Publicly available information
• • Good faith acquisition by employee (if not misused)

Penalties

Up to $5,000 per violation under consumer protection laws. AG can seek injunctions, restitution, and penalties. Class action lawsuits possible.