Post Content

 

The Commonwealth’s Data Breach Notification Law, Mass. General Law, Chapter 93H, requires businesses and other entities that own or license personal information of Massachusetts residents to notify the Office of Consumer Affairs and Business Regulation and the Office of the Attorney General when they know or have reason to know of a breach of security. They must also provide notice if they know or have reason to know that the personal information of a Massachusetts resident was acquired or used by an unauthorized person, or used for an unauthorized purpose.

In 2016, the Office of Consumer Affairs and Business Regulation received notice of 1,999 data breaches that affected 194,864 Massachusetts residents. Among the entities that experienced a breach were health care providers, town offices, and small retail stores. Banks, credit unions and other financial institutions accounted for a significant amount of the reported breaches.

However, it is important to understand that not every breach reported by a financial institution was a result of a breach within the financial institution’s control. In addition to the regular reporting requirements, the law also requires financial institutions to report when a debit or credit card they issue is compromised. This means a breach may have occurred at a retailer but if the consumer used their bank issued card, the financial institution reports the breach as well.

After a breach, it’s critical that the business/financial institution that experienced the breach:

  • Notify the Office of Consumer Affairs and Business Regulation and the Attorney General’s Office without unreasonable delay. The notification must include:
    • A detailed description of the nature and circumstances of the breach of security or unauthorized acquisition or use of personal information;
    • The number of Massachusetts residents affected as of the time of notification;
    • The steps already taken relative to the incident;
    • Any steps intended to be taken relative to the incident subsequent to notification; and
    • Information regarding whether law enforcement is engaged investigating the incident.
  • Notify the consumers affected by the breach.
  • Develop or review their risk-based written information security program that takes into account their business’ size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security.
  • Ensure compliance with the computer system security requirements outlined in 201 CMR 17.00

 

If you have additional questions, contact the Office of Consumer Affairs and Business Regulation by calling our Consumer Hotline at (617) 973-8787, or toll-free in MA at (888) 283-3757, Monday through Friday, from 9 am-4:30 pm. Follow the Office on Facebook and Twitter, @Mass_Consumer. The Baker-Polito Administration’s Office of Consumer Affairs and Business Regulation along with its five agencies work together to achieve two goals: to protect and empower consumers through advocacy and education, and to ensure a fair playing field for all Massachusetts businesses. The Office also oversees the state’s Lemon Laws, data breach reporting, Home Improvement Contractor Program and the state’s Do Not Call Registry.

Written By:

Recent Posts

The New Anti-Robocall Laws and How They Protect Consumers from High Volumes of Robocalls posted on Jan 9

The New Anti-Robocall Laws and How They Protect Consumers from High Volumes of Robocalls

In recent years, robocalls have disturbed, cheated, and scammed constituents, stealing nearly $1 billion from consumers in 2018 alone. Scam callers may pose as various government agencies or other organizations requesting money, personal information and other data in hopes to steal from or harm the   …Continue Reading The New Anti-Robocall Laws and How They Protect Consumers from High Volumes of Robocalls

Division of Banks Holiday Cybersecurity Alert posted on Dec 20

Division of Banks Holiday Cybersecurity Alert

In the midst of the holiday shopping season, DOB Connects, a program of the Massachusetts Division of Banks, posted a recorded webcast offering helpful cybersecurity tips to avoid becoming a victim to online scams. The PSAs are recorded in both English and Spanish. Also, included   …Continue Reading Division of Banks Holiday Cybersecurity Alert

The Basics of Return Policies posted on Dec 17

The Basics of Return Policies

Shopping this time of year is stressful with the hustle and bustle of holiday crowds, which can make returning purchased items a daunting task. Whether you are returning an item after a case of buyer’s remorse or your new outfit didn’t fit quite right, the   …Continue Reading The Basics of Return Policies