Mandated Timeframe for Breach Reporting and/or Consumer Notification
Without unreasonable delay
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection/Security
Vendor Specific Obligations
Vendor Mandated Contracts
Requests for Information
Fines & Penalties
Violations of breach notification laws:
- up to $5,000 per violation
None to minimal
Breach reporting must be made as soon as practicable and without unreasonable delay to the Attorney General and the Director of Consumer Affairs and Business Regulation. Additional reporting may be required to the consumer reporting agencies and state agencies identified by the Director of Consumer Affairs and Business Regulation.
Consumer notification must be given without delay, even if all affected consumers have not yet been determined. Follow up notification is required once additional information becomes available.
Specific information must be included in the regulatory reporting and consumer notification.
Businesses whose breach includes a social security number must offer credit monitoring service at no cost to each resident whose social security number was compromised or believed to be compromised, for at least 18 months (or 42 months if the company is a consumer reporting agency).
For violations of the breach notification requirements, the Attorney General may bring action with fines up to $5,000, and up to $10,000 for continued violations.
Due to the extensive data protection requirements, data owners should also be prepared to demonstrate data protection compliance.
Laws also cover data disposal and record retention.
For violations of data disposal laws, a civil fine up to $100 per data subject affected, up to $50,000, can be assessed for each instance of improper disposal.
Separate laws govern specific industries, including insurance, financial, and student data.
If a vendor is breached, they must notify the data owner. The data owner will be responsible to complete any required regulatory and consumer breach notifications.
If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
Statutes and Laws
Mass. Gen. Laws Ch. 93H §§ 1-6 Security Breaches
201 CMR 17.00 §§ 17.01-17.05 Standards for the Protection of Personal Information of Residents of the Commonwealth
Mass. Gen. Laws Ch. 93I §§ 1-3 Disposition and Destruction of Records
Mass. Gen. Laws Ch. 175I Insurance Information and Privacy Protection