Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.

MASSACHUSETTS DATA PRIVACY REGULATIONS

Did You Know?

 
  • Specific factors determine breach reportability
  • Comprehensive requirements for notifications 
  • Data owners are responsible for reporting and notifications
  • Possible notices to the attorney general, director of consumer affairs and business regulation, the consumer reporting agencies, and additional state agencies 
  • Due to the extensive data protection requirements in MA, data owners should also be prepared to demonstrate data protection compliance 
  • Comprehensive laws also cover data protection, data disposal, and record retention

Who Me?

 

Massachusetts breach and notification laws may apply if you are a person or agency that: 

  • Owns or licenses computerized data that includes personal information;
  • Maintains or stores data that includes personal information which they do not own or license.

There are exemptions.
 
Other state laws, federal laws, industry regulations, and/or out-of-country laws may also apply.

What is PII?

 

PII is personally identifiable information.  PII relevant to a breach in Massachusetts includes an individual’s name with one or more of the following: 

  • Social security number;
  • Driver’s license or state-issued identification number;
  • Financial account numbers or credit/debit card numbers with or without security or access codes, pin or passwords.

PII may also include biometric or medical-record information, or an individual's character, habits, avocations, finances, occupation, general reputation, credit, health or any other personal characteristics

LAWS

APPLICABLE LAW

A few of these laws include, but are not limited to:

General Laws of the Commonwealth of Massachusetts

   Part 1 Administration of the Government

      Title XV Regulation of Trade

  • Chapter 93H Security Breaches: Sections 1-6

Instructions are also addressed in: 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of The Commonwealth; and 201 CMR 16.00: Placing, Lifting and Removal of Security Freezes.

RELATED LAWS

A few of these laws include, but are not limited to:

General Laws of the Commonwealth of Massachusetts

Part 1 Administration of the Government/Title XV Regulation of Trade

  • Chapter 93H – Security Breaches: Section 2
  • Chapter 93i – Dispositions and Destruction of Records: Sections 1-3 AND 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth
  • Chapter 93: Section 105 – Credit cards; checks; personal identification information

PENALTIES

COMPLIANCE PENALTIES

The attorney general may bring action for violations or non-compliance, which could include injunction, restoration to affected residents, and fines for willful violation up to $5,000 and $10,000 for continued violations.

BREACH REPORTING

MULTIPLE FACTORS TO CONSIDER

When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached;
  • If the data was unencrypted or encrypted electronic data;
  • If the data was acquired by or used by an unauthorized person;
  • If the data was used for an unauthorized purpose;
  • Whether the confidential process or key was obtained;
  • Whether the incident creates a substantial risk of identity theft or fraud.

TIME LIMITS

The notification may be delayed if law enforcement indicates the notification may interfere with an investigation, otherwise, notification is required to be made as soon as practicable and without unreasonable delay.

CONSUMER NOTIFICATION

Requires detailed information and potential provision of services

Disclosure may only be made by written notice or electronically with stipulations. A substitute notice, with specific requirements, may be used if the person demonstrates that the cost of providing the notice would exceed $250,000 or the persons to be notified exceeds 500,000 or they do not have sufficient contact information.

Contact the Privacy Experts at CSR