Massachusetts

Mass. Gen. Laws 93H § 1 et seq.

201 C.M.R. 17.00

H.B. 4144 (signed into law August 3, 2007)

Effective October 31, 2007

Application. A natural person, corporation, association, partnership or other legal entity, or any agency, executive office, department, board, commission, bureau, division or authority of MA, or any of its branches, or any political subdivision thereof (collectively, Entity) that owns, licenses, maintains or stores data that includes PI about a resident of MA.

The provisions governing maintenance of PI are applicable to any Entity maintaining information on MA residents, whether or not organized or licensed under the laws of MA.

Security Breach Definition. An unauthorized acquisition or unauthorized use of unencrypted data or encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of PI, maintained by an Entity that creates a substantial risk of identity theft or fraud against a resident of MA.

A good-faith but unauthorized acquisition of PI by an Entity, or employee or agent thereof, for the lawful purpose of such Entity, is not a breach of security unless the PI is used in an unauthorized manner or subject to further unauthorized disclosure.

Notification Obligation. An Entity to which the statute applies shall provide notice to the affected residents, as soon as practicable and without unreasonable delay, when the Entity knows or has reason to know of a breach of security, or when the Entity knows or has reason to know that the PI of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose. Note: MA may take the position that any unauthorized acquisition or use by a third party triggers the notification obligation, regardless of materiality or ownership of the data.

Attorney General/State Agency Notification. Notice must be provided to the state AG and the director of consumer affairs and business regulation.

Upon receipt of notice, the director of consumer affairs and business regulation shall identify any relevant consumer reporting agency or state agency and forward the names of the identified consumer reporting agencies and state agencies to the notifying Entity. The Entity shall, as soon as practicable and without unreasonable delay, also provide notice to consumer reporting agencies and state agencies identified by the director of consumer affairs and business regulation.

Notification Obligation of an Agency Within the Executive Department. If an agency is within the executive department, it shall provide written notification of the nature and circumstances of the breach or unauthorized acquisition or use of the information to the technology division and the division of public records as soon as practicable and without unreasonable delay following discovery of the breach of security or unauthorized acquisition or use, and shall comply with all policies and procedures adopted by that division pertaining to the reporting and investigation of such an incident.

Third-Party Data Notification. An Entity that maintains or stores, but does not own or license data that includes PI about a resident of MA, shall provide notice, as soon as practicable and without unreasonable delay, when such Entity (i) knows or has reason to know of a breach of security or (ii) when the Entity knows or has reason to know that the PI of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose, to the owner or licensor.

Such Entity shall cooperate with the owner or licensor of such PI. Cooperation shall include, but not be limited to: (i) informing the owner or licensor of the breach of security or unauthorized acquisition or use, (ii) the date or approximate date of such incident and the nature thereof, and (iii) any steps the Entity has taken or plans to take relating to the incident, except that such cooperation shall not be deemed to require the disclosure of confidential business information or trade secrets, or to provide notice to a resident that may not have been affected by the breach of security or unauthorized acquisition or use.

Timing of Notification. The notification shall be given as soon as practicable and without unreasonable delay following discovery of the breach.

Personal Information Definition. A resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relates to such resident:

Social Security Number;
Driver license or MA identification card number; or
Financial account number, or credit card number, with or without any required security code, access code, personal ID number or password, that would permit access to a resident’s financial account.

PI does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.

Notice Required. Notice may be provided by one of the following methods:

Written notice; or
Electronic notice, if notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).

The notice to be provided to the AG, director of consumer affairs, and consumer reporting agencies or state agencies, if any, shall include, but not be limited to: (i) the nature of the breach of security or unauthorized acquisition or use, (ii) the number of residents of MA affected by such incident at the time of notification, and (iii) any steps the Entity has taken or plans to take relating to the incident.

Notice to be provided to the resident shall include, but not be limited to: (i) the consumer’s rights to obtain a police report, (ii) how to request a security freeze and the necessary information to be provided when requesting the security freeze, and (iii) any fees required to be paid to any of the consumer reporting agencies. The notification shall not include the nature of the breach or unauthorized acquisition or use of the number of residents of MA affected by said breach or unauthorized access or use.

Substitute Notice Available. If the Entity required to provide notice demonstrates that the cost of providing written notice will exceed $250,000, or that the affected class of MA residents to be notified exceeds 500,000 residents, or the Entity does not have sufficient contact information to provide notice. Substitute notice shall consist of all of the following:

Email notice, if the Entity has email addresses for the members of the affected class of MA residents;
Clear and conspicuous posting of the notice on the home page of the Entity’s Web site if the Entity maintains one; and
Publication in or broadcast through media or medium that provides notice throughout MA.

Exception: Compliance with Other Laws.

Primary Regulator. Notification pursuant to laws, rules, regulations, guidances, or guidelines established by an Entity’s primary or functional state or federal regulator is sufficient for compliance.

Other Key Provisions:

Delay for Law Enforcement. Notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation and has notified the AG, in writing, thereof and informs the Entity of such determination. Notice required by the statute must be made without unreasonable delay and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation. The Entity shall cooperate with law enforcement in its investigation of any breach of security or unauthorized acquisition or use, which shall include the sharing of information relevant to the incident; provided, however, that such disclosure shall not require the disclosure of confidential business information or trade secrets.
AG Enforcement. Penalties include civil penalties, damages, and injunctive relief.