Massachusetts General Laws Ch. 93H §1 et seq
Type of Data Covered: “Data” is any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics." See §1(a).
Is Breach Defined?
“Breach of security”, the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure." See §1(a).
When is notice required?
Notice is required for all residents and must be given to the Attorney General and the Director of Consumer Affairs and Business Regulation. Massachusetts responsibly requires that certain content be included in the notices, but interestingly residents are not told of the nature of the breach, only the AG and Director receive that information. Notice must be given "as soon as practicable and without unreasonable delay" and includes an exception for criminal investigations
What are the penalties for non-compliance?
Violations have their own section of the law, § 6, which reads as follows:
"The attorney general may bring an action pursuant to section 4 of chapter 93A against a person or otherwise to remedy violations of this chapter and for other relief that may be appropriate."
Quick! Who will disclose the breach first!?