Preventing Security Breaches in the State of Massachusetts

Preventing Security Breaches in the State of Massachusetts

Mass. Gen. Laws § 93H-1 is a data breach notification law that was passed in the U.S. state of Massachusetts in 2007 and recently amended in 2019. Mass. Gen. Laws § 93H-1 was amended for the purposes of providing residents of the state with an updated level of protection as it concerns cyber-attacks and data breaches. To this point, Mass. Gen. Laws § 93H-1 establishes both the legal framework that business entities within Massachusetts are responsible for adhering to in the event that a security breach occurs, as well as the punishments that can be imposed when a business entity fails to comply with this framework.

How is a security breach defined under Mass. Gen. Laws § 93H-1?

Under Mass. Gen. Laws § 93H-1, a security breach is defined as “as the unauthorized access of
unencrypted data or encrypted data, provided that the key to access the data is available, maintained by a person (person, corporation or legal entity) or agency (a government department, bureau, office, etc.) that compromises the confidentiality, security, or integrity of the personally identifying data.” Alternatively, the law states that “an acquisition in good faith by a person or agency or the employee or agent of a person or agency is not considered a breach of security unless the data is subject to unauthorized release or disclosure.”

What are the responsibilities of business entities under Mass. Gen. Laws § 93H-1?

Under Mass. Gen. Laws § 93H-1, business entities that conduct operations within the state of Massachusetts are required to provide residents of the state with security breach notifications in the event that such an instance occurs. These notices must be provided to Massachusetts residents as soon as practicable and without undue delay, and must provide said residents with information detailing the scope and severity of the breach, as well as the forms of personal information that were compromised following the breach, among other things. What’s more, business entities within the state are also required to provide notice to the Massachusetts Attorney General when a data breach occurs. These notices must include details including but not limited to:

What categories of personal information are protected under Mass. Gen. Laws § 93H-1?

Under Mass. Gen. Laws § 93H-1, the following categories of personal information are protected under the law should they be compromised as a result of a data breach, in conjunction with first name and last name or the first initial and last name of a resident within the state of Massachusetts:

In terms of the penalties for non-compliance under Mass. Gen. Laws § 93H-1, the provisions set forth in the law are enforced by the Massachusetts Attorney General. Subsequently, the Massachusetts Attorney General has the authority to impose a number of sanctions and penalties against individuals, business entities, and organizations within the state that fail to comply with the law. Such punishments include damages, civil penalties, and injunctive relief. The Massachusetts Attorney General also reserves the right to “take action in the form of relief or what may be deemed appropriate, against an entity found in violation of the code.”

Mass. Gen. Laws § 93H-1 represents the primary legal framework for governing security breaches within the state of Massachusetts. While many of the provisions of state data breach notification laws within the U.S. are similar, including requirements mandating that an entity that experienced a breach provide notice to the state Attorney General, the provisions of Mass. Gen. Laws § 93H-1 are in many ways far more restrictive and stringent than those of other such laws. As such, residents of the state of Massachusetts can have the peace of mind that their personal information is being protected at one of the highest levels that is currently available under U.S. state-based legislation.

Related Reads