Massachusetts
Privacy Laws
Overview
BREACH NOTIFICATION – Mandated Timeframe
Without unreasonable delay
FINES & PENALTIES – Violations
Up to $5,000 per violation
Regulation Levels
-
Breach Reporting
-
Consumer Notification
-
Vendor Management
-
Vendor Contract Required
PRIVACY AND SECURITY LAWS
Laws related to personal information and privacy and security.
Breach Reporting
Required
Vendor Obligations
Required
Consumer Notification
Required
Vendor Contracts
Required
Vendor Notification
Required
Privacy Program
Required
QUICK FACTS
Massachusetts Privacy Law Information
Due to the extensive data protection requirements, Organizations should also be prepared to demonstrate data protection compliance. Minimum safeguard standards are required of Organizations, including a written information security program for the protection and security of personal information. Organizations must contract with Vendors to require that Vendors maintain appropriate safeguards to protect the personal information of the Organization.
Breach reporting must be made as soon as practicable and without unreasonable delay to the Attorney General and the Director of Consumer Affairs and Business Regulation. Additional reporting may be required to the consumer reporting agencies and state agencies identified by the Director of Consumer Affairs and Business Regulation. The Organization will be responsible to complete any required regulatory reporting and consumer notification. Vendors must notify Organizations without unreasonable delay after discovery of a breach or suspected breach. In addition, Vendors must cooperate with Organizations to provide all necessary information regarding a breach and any remediation taken relating to an incident.
Consumer notification must be given without delay, even if all affected consumers have not yet been determined. Follow-up notification is required once additional information becomes available. Specific information must be included in the regulatory reporting and consumer notification. Businesses whose breach includes a social security number must offer credit monitoring service at no cost to each resident whose social security number was compromised or believed to be compromised, for at least 18 months (or 42 months if the company is a consumer reporting agency). The Organization will be responsible to complete any required regulatory reporting and consumer notification.
Separate laws govern specific industries, including insurance, financial, and student data.
Vendors must maintain appropriate safeguards consistent with mandated requirements of Organizations, including, but not limited to, risk assessment, employee training, security policies, and internal disciplinary measures for violations. Disposal Vendors must be contracted. Disposal Vendors must implement and comply with policies and procedures to safeguard personal information from unauthorized access or acquisition during collection, transportation and disposal.
Organizations may be fined or penalized for Vendor violations. For violations of the breach notification requirements, the Attorney General may bring action with fines up to $5,000, and up to $10,000 for continued violations. For violations of data disposal laws, a civil fine up to $100 per data subject affected, up to $50,000, can be assessed for each instance of improper disposal.
Massachusetts Statutes and Laws
Standards for the Protection of Personal Information of MA Residents
Student records
Public schools
Definitions
Regulations to safeguard personal information of commonwealth residents
Duty to report known security breach or unauthorized use of personal information
Breaches of security including social security numbers; offer of credit monitoring services required
Delay in notice when notice would impede criminal investigation; cooperation with law enforcement
Applicability of other state and federal laws
Additional duties of attorney general
Dispositions and destruction of records
Definitions
Standards of disposal of records containing personal information; disposal by third party; enforcement
Enforcement
Public health
Supervision of banks
Bank holding companies
Insurance information and privacy protection
DISCLAIMER
The information provided is not legal guidance or recommendations and are for informational purposes only.