When a company suffers a breach of confidential data, it typically must report to affected consumers. As there is no federal standard for notification, every state has unique requirements. Massachusetts is no exception, (Mass General Law Chapter 93H), with several specific notification requirements that businesses should be cognizant of. This is particularly important for those companies operating across state lines, where variation in standard practice can complicate matters of compliance.
Massachusetts, like most states, defines personal information of a resident as the first and last names, or first initial and last name, and one or more of the following:
Like most states, if the information is publicly available, in a lawful manner, it's excluded. Additionally, if the information is encrypted, and the encryption key has not been compromised during a data breach, the information is excluded from reporting. Unlike a majority of states, Massachusetts outlines security requirements to protect personal information, (201CMR17.00), as part of the overall data breach requirements. Additional information regarding privacy laws for all 50 states can be found here.
In most states, only unencrypted or computerized data requires notification. In Massachusetts "data" includes written, drawn, spoken, visual, or electromagnetic information, regardless of the medium. It's still possible to suffer a breach from sensitive print material, so this requirement necessitates extra compliance effort. Privacy breach notification shall be provided to the attorney general and said director, and consumer reporting or state agencies if any, shall include, but not be limited to:
Notification of the breach can be reported electronically on the Massachusetts government website. Massachusetts is one of a handful of states that posts breach notifications online. In Massachusetts, they are available on the Office of Consumer Affairs and Business Regulation (OCABR) website.
Massachusetts allows consumers to sue for damages. This statute falls under Chapter 93A, the unfair trade practices law. Under certain circumstances, Chapter 93A allows for treble damages, meaning: "A person may assert a claim under this section in a district court, whether by way of original complaint, counterclaim, cross-claim or third-party action, for money damages only. Said damages may include double or treble damages, attorneys' fees, and costs, as herein provided." The Massachusetts Attorney General can also bring suit.
Operating in Massachusetts
Any business operating in Massachusetts, or with Massachusetts-based customers, should remain attentive to relevant legislature, as data breach regulations are constantly being amended and modified. For the latest information on data breaches, privacyrights.org provides a running list by type, organization affected, and geographic location. Remember, there are many ways to mitigate the risk factors associated with data breaches. Standards for the protection of information of residents of the Commonwealth require each business to, at minimum, do the following:
For detailed, up to date requirements, please refer to 201 CMR 17:00. For assistance with operational compliance, or proactive security strategies, contact iCorps for more information.