Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- up to $5,000 per violation

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Breach reporting must be made as soon as practicable and without unreasonable delay to the Attorney General and the Director of Consumer Affairs and Business Regulation. Additional reporting may be required to the consumer reporting agencies and state agencies identified by the Director of Consumer Affairs and Business Regulation.
  • Consumer notification must be given without delay, even if all affected consumers have not yet been determined. Follow up notification is required once additional information becomes available.
  • Specific information must be included in the regulatory reporting and consumer notification.
  • Businesses whose breach includes a social security number must offer credit monitoring service at no cost to each resident whose social security number was compromised or believed to be compromised, for at least 18 months (or 42 months if the company is a consumer reporting agency).
  • For violations of the breach notification requirements, the Attorney General may bring action with fines up to $5,000, and up to $10,000 for continued violations.
  • Due to the extensive data protection requirements, data owners should also be prepared to demonstrate data protection compliance.
  • Laws also cover data disposal and record retention.
  • For violations of data disposal laws, a civil fine up to $100 per data subject affected, up to $50,000, can be assessed for each instance of improper disposal.
  • Separate laws govern specific industries, including insurance, financial, and student data.
  • If a vendor is breached, they must notify the data owner. The data owner will be responsible to complete any required regulatory and consumer breach notifications.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
Statutes and Laws
  • Mass. Gen. Laws Ch. 93H §§ 1-6 Security Breaches
  • 201 CMR 17.00 §§ 17.01-17.05 Standards for the Protection of Personal Information of Residents of the Commonwealth
  • Mass. Gen. Laws Ch. 93I §§ 1-3 Disposition and Destruction of Records
  • Mass. Gen. Laws Ch. 175I Insurance Information and Privacy Protection
  • Mass. Gen. Laws Ch. 167 Supervision of Banks
  • Mass. Gen. Laws Ch. 167A Bank Holding Companies
  • Mass. Gen. Laws Ch. 111 Public Health
  • Mass. Gen. Laws Ch. 71 Public Schools
  • 603 CMR 23.00 Student Records
BAck to map