Post Content


The Commonwealth’s Data Breach Notification Law, Mass. General Law, Chapter 93H, requires businesses and other entities that own or license personal information of Massachusetts residents to notify the Office of Consumer Affairs and Business Regulation and the Office of the Attorney General when they know or have reason to know of a breach of security. They must also provide notice if they know or have reason to know that the personal information of a Massachusetts resident was acquired or used by an unauthorized person, or used for an unauthorized purpose.

In 2016, the Office of Consumer Affairs and Business Regulation received notice of 1,999 data breaches that affected 194,864 Massachusetts residents. Among the entities that experienced a breach were health care providers, town offices, and small retail stores. Banks, credit unions and other financial institutions accounted for a significant amount of the reported breaches.

However, it is important to understand that not every breach reported by a financial institution was a result of a breach within the financial institution’s control. In addition to the regular reporting requirements, the law also requires financial institutions to report when a debit or credit card they issue is compromised. This means a breach may have occurred at a retailer but if the consumer used their bank issued card, the financial institution reports the breach as well.

After a breach, it’s critical that the business/financial institution that experienced the breach:

  • Notify the Office of Consumer Affairs and Business Regulation and the Attorney General’s Office without unreasonable delay. The notification must include:
    • A detailed description of the nature and circumstances of the breach of security or unauthorized acquisition or use of personal information;
    • The number of Massachusetts residents affected as of the time of notification;
    • The steps already taken relative to the incident;
    • Any steps intended to be taken relative to the incident subsequent to notification; and
    • Information regarding whether law enforcement is engaged investigating the incident.
  • Notify the consumers affected by the breach.
  • Develop or review their risk-based written information security program that takes into account their business’ size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security.
  • Ensure compliance with the computer system security requirements outlined in 201 CMR 17.00


If you have additional questions, contact the Office of Consumer Affairs and Business Regulation by calling our Consumer Hotline at (617) 973-8787, or toll-free in MA at (888) 283-3757, Monday through Friday, from 9 am-4:30 pm. Follow the Office on Facebook and Twitter, @Mass_Consumer. The Baker-Polito Administration’s Office of Consumer Affairs and Business Regulation along with its five agencies work together to achieve two goals: to protect and empower consumers through advocacy and education, and to ensure a fair playing field for all Massachusetts businesses. The Office also oversees the state’s Lemon Laws, data breach reporting, Home Improvement Contractor Program and the state’s Do Not Call Registry.

Written By:

Recent Posts

Ballot Question 1: Right to Repair posted on Sep 18

Ballot Question 1: Right to Repair

Should you, or shouldn’t you? 2020 Massachusetts Ballot Question 1 has a lot of voters wondering which option is best for the people of the Commonwealth as proponents on each side spend millions on advertising to convince you to vote one way or the other.   …Continue Reading Ballot Question 1: Right to Repair

Tuition Reimbursement Insurance posted on Sep 17

Tuition Reimbursement Insurance

There are lots of things that parents worry about when they send their children off to college, a global pandemic has not conventionally been one of them – until now. A year ago, no one would have predicted the outbreak of Coronavirus, or its impact   …Continue Reading Tuition Reimbursement Insurance

Lifeline Awareness Week – September 14-18, 2020 posted on Sep 15

Lifeline Awareness Week – September 14-18, 2020

Living alone can be isolating which is why the Department of Telecommunications wants you to know, no matter your income, there are ways for you to have a home phone, cell phone, or internet plan. A service called Lifeline is available to keep you connected   …Continue Reading Lifeline Awareness Week – September 14-18, 2020