Post Content


The Commonwealth’s Data Breach Notification Law, Mass. General Law, Chapter 93H, requires businesses and other entities that own or license personal information of Massachusetts residents to notify the Office of Consumer Affairs and Business Regulation and the Office of the Attorney General when they know or have reason to know of a breach of security. They must also provide notice if they know or have reason to know that the personal information of a Massachusetts resident was acquired or used by an unauthorized person, or used for an unauthorized purpose.

In 2016, the Office of Consumer Affairs and Business Regulation received notice of 1,999 data breaches that affected 194,864 Massachusetts residents. Among the entities that experienced a breach were health care providers, town offices, and small retail stores. Banks, credit unions and other financial institutions accounted for a significant amount of the reported breaches.

However, it is important to understand that not every breach reported by a financial institution was a result of a breach within the financial institution’s control. In addition to the regular reporting requirements, the law also requires financial institutions to report when a debit or credit card they issue is compromised. This means a breach may have occurred at a retailer but if the consumer used their bank issued card, the financial institution reports the breach as well.

After a breach, it’s critical that the business/financial institution that experienced the breach:

  • Notify the Office of Consumer Affairs and Business Regulation and the Attorney General’s Office without unreasonable delay. The notification must include:
    • A detailed description of the nature and circumstances of the breach of security or unauthorized acquisition or use of personal information;
    • The number of Massachusetts residents affected as of the time of notification;
    • The steps already taken relative to the incident;
    • Any steps intended to be taken relative to the incident subsequent to notification; and
    • Information regarding whether law enforcement is engaged investigating the incident.
  • Notify the consumers affected by the breach.
  • Develop or review their risk-based written information security program that takes into account their business’ size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security.
  • Ensure compliance with the computer system security requirements outlined in 201 CMR 17.00


If you have additional questions, contact the Office of Consumer Affairs and Business Regulation by calling our Consumer Hotline at (617) 973-8787, or toll-free in MA at (888) 283-3757, Monday through Friday, from 9 am-4:30 pm. Follow the Office on Facebook and Twitter, @Mass_Consumer. The Baker-Polito Administration’s Office of Consumer Affairs and Business Regulation along with its five agencies work together to achieve two goals: to protect and empower consumers through advocacy and education, and to ensure a fair playing field for all Massachusetts businesses. The Office also oversees the state’s Lemon Laws, data breach reporting, Home Improvement Contractor Program and the state’s Do Not Call Registry.

Written By:

Recent Posts

Beware of Toxic Hand Sanitizer posted on Jun 23

The U.S. Food and Drug Administration (FDA) is warning consumers of nine hand sanitizers that contain toxic ingredients. The agency said the products, which are manufactured in Mexico by Eskbiochem SA de CV, contain elevated levels of methanol or wood alcohol. Methanol should not be   …Continue Reading Beware of Toxic Hand Sanitizer

Massachusetts Banks and Credit Unions Deliver on Paycheck Protection Program (PPP) Promise posted on Jun 18

Massachusetts Banks and Credit Unions Deliver on Paycheck Protection Program (PPP) Promise

  Intended as a lifeline to all Americans amidst the pandemic crisis facing our nation and the world, the Coronavirus Aid, Relief, and Economic Security (CARES) Act was passed by Congress with overwhelming, bipartisan support and signed into law by the president on March 27th,   …Continue Reading Massachusetts Banks and Credit Unions Deliver on Paycheck Protection Program (PPP) Promise

Coping with Food Insecurity posted on Jun 5

Coping with Food Insecurity

Eating well is one of the most important things we can do to take care of ourselves and our families. For many families in the Commonwealth coping with the loss of income due to the pandemic food insecurity has become a real threat. According to   …Continue Reading Coping with Food Insecurity