Guidance for Businesses on Security Breaches

Note: The following materials are provided for information purposes only to assist you in fulfilling your notice obligations pursuant to M.G.L. c. 93H, the law governing data breaches. This information should not be a substitute for assessing your notice obligations under M.G.L. c. 93H as notice obligations may vary on a case-by-case basis.

The Law

Pursuant to M.G.L. c. 93H, s. 3(b), if you own or license data that includes personal information of a Massachusetts resident, you are required to provide written notice as soon as practicable and without unreasonable delay to:

1. The Attorney General (AGO);
2. The Director of the Office of Consumer Affairs and Business Regulation (OCABR); and
3. The affected Massachusetts resident

when you know or have reason to know (a) of a breach of security; or (b) that personal information of a Massachusetts resident was acquired by or used by an unauthorized person or used for an unauthorized purpose.

Notice to the AGO and OCABR

The notice to the Attorney General and the Director of Consumer Affairs and Business Regulation shall include, but not be limited to: (1) the nature of the breach of security or the unauthorized acquisition or use; (2) the number of Massachusetts residents affected by such incident at the time of notification; and (3) any steps the person or agency has taken or plans to take relating to the incident.

To assist you in this notification process, the AGO has prepared a sample letter outlining the minimum information that your notice should contain to the Attorney General. To download and view: 

• Sample Letter to the Attorney General (PDF)

Executive Agency’s Duty to Notify Information Technology Division and Division of Public Records

In addition, pursuant to M.G.L. c. 93H, s. 3(c), if any agency is within the executive department, it shall also provide written notification of the nature and circumstances of the breach or unauthorized acquisition or use to the information technology division and the division of public records. The agency shall provide this notice as soon as practicable and without unreasonable delay following the discovery of the breach of security or unauthorized acquisition or use.

Notice to Affected Massachusetts Residents

A person or agency that has experienced a breach of security or the unauthorized acquisition or use of personal information of Massachusetts residents must also provide notice to those affected Massachusetts residents. This notice shall include, but not be limited to:

1. the consumer’s right to obtain a police report;
2. how a consumer requests a security freeze;
3. the necessary information to be provided when requesting the security freeze; and
4. any fees to be paid to any of the consumer reporting agencies, provided however, that the notification shall not include:
   a) the nature of the breach or unauthorized acquisition or use; or 
   b) the number of Massachusetts residents affected by the security breach or the unauthorized access or use.

To assist you in this notification process, we have prepared a sample letter outlining the minimum information that your notice should contain to the affected Massachusetts resident(s). To download and view:

• Sample Letter to Affected Massachusetts Residents (PDF)

Recent Articles:

Data Leakage Audit Reveals Daily HIPAA Violations

Cybercrime Bolsters Case For SIM Solutions

Healthcare Info Security: Inside An Internet Risk Audit

Network World: Inside A Data Leak Audit

CPA Firm's Client Data Isn't As Secure As They Think

Networks Unlimited, Inc. | 877-210-8885 | info@networksunlimited.com
Security Audits | Solutions & Support | Privacy Regulations | Security Articles | Company | Contact Us | Home
Copyright 2010-13 Networks Unlimited, Inc.