What are Massachusetts' Data Breach Notification Requirements?

When a company suffers a breach of confidential data, it typically must report to affected consumers. As there is no federal standard for notification, every state has unique requirements. Massachusetts is no exception, (Mass General Law Chapter 93H), with several specific notification requirements that businesses should be cognizant of. This is particularly important for those companies operating across state lines, where variation in standard practice can complicate matters of compliance.

Defining personal identifiable information (PII)

Massachusetts, like most states, defines personal information of a resident as the first and last names, or first initial and last name, and one or more of the following:

  • Social Security Number
  • Driver's license number or state issued identification card number
  • Financial information including:
    • Bank account number
    • Credit or Debit card number (with or without the PIN)
    • Access code, PIN or control number that would grant access to financial information

Like most states, if the information is publicly available, in a lawful manner, it's excluded. Additionally, if the information is encrypted, and the encryption key has not been compromised during a data breach, the information is excluded from reporting. Unlike a majority of states, Massachusetts outlines security requirements to protect personal information, (201CMR17.00), as part of the over-all data breach requirements. 

Related content: 5 Step Vulnerability Analysis for Business Continuity Planning

Notification requirements

In most states, only unencrypted or computerized data requires notification. Massachusetts is one of eight states in which "data" includes written, drawn, spoken, visual, or electromagnetic information, regardless of the medium. It's still possible to suffer a breach from sensitive print material, so this requirement necessitates extra compliance effort.

Privacy breach notification shall be provided to the attorney general and said director, and consumer reporting or state agencies if any, shall include, but not be limited to:

  • The nature of the breach of security/unauthorized acquisition or use
  • The number of residents of the commonwealth affected by such incident at the time of notification
  • Any steps the person or agency has taken, or plans to take, relating to the incident


Notification of the breach can be reported electronically on the Massachusetts government web site

Permitted private cause of action

Massachusetts is one of 15 states, including Washington D.C., that allows consumers to sue for damages. This statute falls under Chapter 93A, the unfair trade practices law. Under certain circumstances, Chapter 93A allows for treble damages, meaning:

"A person may assert a claim under this section in a district court, whether by way of original complaint, counterclaim, cross-claim or third-party action, for money damages only. Said damages may include double or treble damages, attorneys' fees and costs, as herein provided."

The Massachusetts Attorney General can also bring suit. Massachusetts was the first state to sue Equifax over its breach.

Tip: Worried about cyber-attacks? Here are some simple steps to secure your business.

Public availability of information

Massachusetts is one of a handful of states that posts breach notifications online. In Massachusetts, they are available on the Office of Consumer Affairs and Business Regulation (OCABR) website.

Pending legislation

States frequently update privacy regulations, and in the wake of the high-profile Equifax breach, there has been a country-wide push for new legislation. Massachusetts is no exception, with several bills currently in the house and senate.

Several states are expanding their definitions of PII to include biometric data, such as fingerprints, iris scans, and DNA. The MA Senate Bill 95 would add Massachusetts to that list.

Under the changes proposed by this bill:

  • Companies would need to obtain consent when using a consumer's credit report
  • In the event of a breach, consumers could place or lift a credit freeze on their accounts at no cost
  • CRA's would be required to encrypt personal information, and provide five years of free monitoring following a breach


Operating in Massachusetts

Any business operating in Massachusetts, or with Massachusetts-based customers, should remain attentive to relevant legislature, as data breach regulations are constantly being amended and modified. For the latest information on data breaches, privacyrights.org provides a running list by type, organization affected, and geographic location. 

Remember, there are many ways to mitigate the risk factors associated with data breaches. Standards for the protection of information of residents of the commonwealth (Under 201 CMR 17:00) require each business to, at minimum, do the following:

  • Develop an information security program
  • Designate a security office to maintain the security plan
  • Do a risk assessment (recommended annually)
  • Provide on-going security awareness training
  • Means for detecting and preventing security failures
  • Strong offboarding procedures to prevent terminated employees from accessing information
  • Encrypt traffic in transit as well at rest when information contains personal information
  • Patch firewalls, application, and operating systems on a regular basis
  • Use secure password and or token devices


For assistance with operational compliance, or proactive security strategies, contact iCorps for more information.

As more businesses move to the cloud, it's important to ask your cloud provider the tough questions when it comes to data security. Check out this eBook for the top seven questions to ask. 

New Call-to-action

Related content:
What Are New York's Data Breach Notification Requirements?
What Are Pennsylvania's Data Breach Notification Requirements?