Preventing Security Breaches in the State of Massachusetts

Preventing Security Breaches in the State of Massachusetts
January 03, 2022 | 4 minutes read

Mass. Gen. Laws § 93H-1 is a data breach notification law that was passed in the U.S. state of Massachusetts in 2007 and recently amended in 2019. Mass. Gen. Laws § 93H-1 was amended for the purposes of providing residents of the state with an updated level of protection as it concerns cyber-attacks and data breaches. To this point, Mass. Gen. Laws § 93H-1 establishes both the legal framework that business entities within Massachusetts are responsible for adhering to in the event that a security breach occurs, as well as the punishments that can be imposed when a business entity fails to comply with this framework.

How is a security breach defined under Mass. Gen. Laws § 93H-1?

Under Mass. Gen. Laws § 93H-1, a security breach is defined as “as the unauthorized access of
unencrypted data or encrypted data, provided that the key to access the data is available, maintained by a person (person, corporation or legal entity) or agency (a government department, bureau, office, etc.) that compromises the confidentiality, security, or integrity of the personally identifying data.” Alternatively, the law states that “an acquisition in good faith by a person or agency or the employee or agent of a person or agency is not considered a breach of security unless the data is subject to unauthorized release or disclosure.”

What are the responsibilities of business entities under Mass. Gen. Laws § 93H-1?

Under Mass. Gen. Laws § 93H-1, business entities that conduct operations within the state of Massachusetts are required to provide residents of the state with security breach notifications in the event that such an instance occurs. These notices must be provided to Massachusetts residents as soon as practicable and without undue delay, and must provide said residents with information detailing the scope and severity of the breach, as well as the forms of personal information that were compromised following the breach, among other things. What’s more, business entities within the state are also required to provide notice to the Massachusetts Attorney General when a data breach occurs. These notices must include details including but not limited to:

  • The nature of the security breach.
  • The number of residents within the state of Massachusetts that were affected by the breach at the time of the notification.
  • The name and address of the person or business entity that experienced the security breach.
  • The name and title of the person that is reporting the security breach, as well their relationship to the person or entity that experienced the breach.
  • The type of business entity or organization that is reporting the security breach.
  • The person who is responsible for the security breach, if such information is known at the time in which the notification was communicated.
  • The “type of personal information compromised, including, but not limited to, social security number, driver’s license number, financial account number, credit or debit card number or other data.”
  • Whether the person or entity that has experienced the breach “maintains a written information security program.”
  • Any additional steps that the person or entity has taken to “relating to the incident, including updating the written information security program.”

What categories of personal information are protected under Mass. Gen. Laws § 93H-1?

Under Mass. Gen. Laws § 93H-1, the following categories of personal information are protected under the law should they be compromised as a result of a data breach, in conjunction with first name and last name or the first initial and last name of a resident within the state of Massachusetts:

  • Social security numbers.
  • Bank account numbers.
  • Drivers license numbers and state identification card numbers.
  • Financial account numbers, credit card numbers, with our with any security codes, access codes, personal identification numbers, and passwords, that could be used to grant access to an individual’s financial account.

In terms of the penalties for non-compliance under Mass. Gen. Laws § 93H-1, the provisions set forth in the law are enforced by the Massachusetts Attorney General. Subsequently, the Massachusetts Attorney General has the authority to impose a number of sanctions and penalties against individuals, business entities, and organizations within the state that fail to comply with the law. Such punishments include damages, civil penalties, and injunctive relief. The Massachusetts Attorney General also reserves the right to “take action in the form of relief or what may be deemed appropriate, against an entity found in violation of the code.”

Mass. Gen. Laws § 93H-1 represents the primary legal framework for governing security breaches within the state of Massachusetts. While many of the provisions of state data breach notification laws within the U.S. are similar, including requirements mandating that an entity that experienced a breach provide notice to the state Attorney General, the provisions of Mass. Gen. Laws § 93H-1 are in many ways far more restrictive and stringent than those of other such laws. As such, residents of the state of Massachusetts can have the peace of mind that their personal information is being protected at one of the highest levels that is currently available under U.S. state-based legislation.