Post Content


The Commonwealth’s Data Breach Notification Law, Mass. General Law, Chapter 93H, requires businesses and other entities that own or license personal information of Massachusetts residents to notify the Office of Consumer Affairs and Business Regulation and the Office of the Attorney General when they know or have reason to know of a breach of security. They must also provide notice if they know or have reason to know that the personal information of a Massachusetts resident was acquired or used by an unauthorized person, or used for an unauthorized purpose.

In 2016, the Office of Consumer Affairs and Business Regulation received notice of 1,999 data breaches that affected 194,864 Massachusetts residents. Among the entities that experienced a breach were health care providers, town offices, and small retail stores. Banks, credit unions and other financial institutions accounted for a significant amount of the reported breaches.

However, it is important to understand that not every breach reported by a financial institution was a result of a breach within the financial institution’s control. In addition to the regular reporting requirements, the law also requires financial institutions to report when a debit or credit card they issue is compromised. This means a breach may have occurred at a retailer but if the consumer used their bank issued card, the financial institution reports the breach as well.

After a breach, it’s critical that the business/financial institution that experienced the breach:

  • Notify the Office of Consumer Affairs and Business Regulation and the Attorney General’s Office without unreasonable delay. The notification must include:
    • A detailed description of the nature and circumstances of the breach of security or unauthorized acquisition or use of personal information;
    • The number of Massachusetts residents affected as of the time of notification;
    • The steps already taken relative to the incident;
    • Any steps intended to be taken relative to the incident subsequent to notification; and
    • Information regarding whether law enforcement is engaged investigating the incident.
  • Notify the consumers affected by the breach.
  • Develop or review their risk-based written information security program that takes into account their business’ size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security.
  • Ensure compliance with the computer system security requirements outlined in 201 CMR 17.00


If you have additional questions, contact the Office of Consumer Affairs and Business Regulation by calling our Consumer Hotline at (617) 973-8787, or toll-free in MA at (888) 283-3757, Monday through Friday, from 9 am-4:30 pm. Follow the Office on Facebook and Twitter, @Mass_Consumer. The Baker-Polito Administration’s Office of Consumer Affairs and Business Regulation along with its five agencies work together to achieve two goals: to protect and empower consumers through advocacy and education, and to ensure a fair playing field for all Massachusetts businesses. The Office also oversees the state’s Lemon Laws, data breach reporting, Home Improvement Contractor Program and the state’s Do Not Call Registry.

Written By:

Recent Posts

Great Outdoors Month 2022 posted on May 17

Great Outdoors Month 2022

As the weathers warms up and school vacation is fast approaching, new adventures are on the horizon for many looking to take advantage of the New England Summer. For the third consecutive year, June is nationally recognized as ‘Great Outdoors Month,’ a time to explore   …Continue Reading Great Outdoors Month 2022

International Records and Information Management Awareness Month posted on Apr 28

International Records and Information Management Awareness Month

There are many reasons to celebrate the month of April, including International Records and Information Management (RIM) Awareness Month.  This globally recognized time highlights the importance and necessity of establishing and implementing policies, systems, and procedures to capture, create, access, distribute, use, store, secure, and   …Continue Reading International Records and Information Management Awareness Month

Fair Housing Month: 2022 posted on Apr 20

Fair Housing Month: 2022

The month of April is dedicated to recognizing the Fair Housing Act of 1968. During this month, The Department of Housing and Urban Development along with other governmental entities and housing-focused groups hold events, panels, and seminars to help educate the public about fair housing,   …Continue Reading Fair Housing Month: 2022