When a company suffers a breach of confidential data, it typically must report to affected consumers. As there is no federal standard for notification, every state has unique requirements. Massachusetts is no exception, (Mass General Law Chapter 93H), with several specific notification requirements that businesses should be cognizant of. This is particularly important for those companies operating across state lines, where variation in standard practice can complicate matters of compliance.
The Basics of the Massachusetts' Data Breach Notification Law:
Defining Personal Identifiable Information (PII)
Massachusetts, like most states, defines personal information of a resident as the first and last names, or first initial and last name, and one or more of the following:
-
Social Security Number
-
Driver's license number or state-issued identification card number
-
Financial information including:
-
Bank account number
-
Credit or Debit card number (with or without the PIN)
-
Access code, PIN, or control number that would grant access to financial information
-
Like most states, if the information is publicly available, in a lawful manner, it's excluded. Additionally, if the information is encrypted, and the encryption key has not been compromised during a data breach, the information is excluded from reporting. Unlike a majority of states, Massachusetts outlines security requirements to protect personal information, (201CMR17.00), as part of the overall data breach requirements. Additional information regarding privacy laws for all 50 states can be found here.
Notification Requirements
In most states, only unencrypted or computerized data requires notification. In Massachusetts "data" includes written, drawn, spoken, visual, or electromagnetic information, regardless of the medium. It's still possible to suffer a breach from sensitive print material, so this requirement necessitates extra compliance effort. Privacy breach notification shall be provided to the attorney general and said director, and consumer reporting or state agencies if any, shall include, but not be limited to:
-
The nature of the breach of security/unauthorized acquisition or use
-
The number of residents of the Commonwealth affected by such incident at the time of notification
-
Any steps the person or agency has taken or plans to take, relating to the incident
Notification of the breach can be reported electronically on the Massachusetts government website. Massachusetts is one of a handful of states that posts breach notifications online. In Massachusetts, they are available on the Office of Consumer Affairs and Business Regulation (OCABR) website.
Permitted Private Cause of Action
Massachusetts allows consumers to sue for damages. This statute falls under Chapter 93A, the unfair trade practices law. Under certain circumstances, Chapter 93A allows for treble damages, meaning: "A person may assert a claim under this section in a district court, whether by way of original complaint, counterclaim, cross-claim or third-party action, for money damages only. Said damages may include double or treble damages, attorneys' fees, and costs, as herein provided." The Massachusetts Attorney General can also bring suit.
Operating in Massachusetts
Any business operating in Massachusetts, or with Massachusetts-based customers, should remain attentive to relevant legislature, as data breach regulations are constantly being amended and modified. For the latest information on data breaches, privacyrights.org provides a running list by type, organization affected, and geographic location. Remember, there are many ways to mitigate the risk factors associated with data breaches. Standards for the protection of information of residents of the Commonwealth require each business to, at minimum, do the following:
-
Develop an information security program, and provide routine training
-
Designate a security officer to maintain the security plan
-
Perform an annual risk assessment
-
Establish a means for detecting and preventing security failures
-
Implement offboarding procedures to prevent terminated employees from accessing information
-
Encrypt traffic in transit and at rest that contains PII
-
Patch firewalls, application, and operating systems on a regular basis
-
Use secure password and/or token devices
For detailed, up to date requirements, please refer to 201 CMR 17:00. For assistance with operational compliance, or proactive security strategies, contact iCorps for more information.