Data breaches are a persistent and growing threat to the privacy and finances of American consumers. Millions of Massachusetts residents have been impacted by breaches over the last two decades, some of whom suffered serious personal or financial harm. An official record of data breaches in Massachusetts dating back to 2007 can be found here. Our office has heard from many constituents concerned about this issue, many of whom were impacted by breaches themselves. The Senator asked his team to look into Massachusetts government’s ongoing work on this issue. This post overviews existing state law regarding data breaches, how it is enforced, and relevant legislation pending in the state legislature.
(Note: Our office does not provide legal advice and we do not intend for this post to be used as a legal resource. Residents impacted by data breaches may file a consumer complaint with the Attorney General’s Office for guidance.)
Consumer Protections in Current Law
Massachusetts law affords protections against data breaches by imposing security requirements on persons or entities that own or license data containing residents’ personal information.
Massachusetts General Laws chapter 93H is the state law dedicated to security breaches involving data that contain Massachusetts residents’ “personal information.”
For the purposes of the law, “personal information” includes a resident’s first and last names or first initial and last name in combination with any 1 or more of the following:
- Social Security number;
- Driver’s license number or state-issued identification card number; or
- Financial account numbers or credit or debit card numbers that would permit access to a financial account.
(Note: “Personal information” does not include any data lawfully obtained from publicly available sources.)
Section 2 of chapter 93H orders the Office of Consumer Affairs and Business Regulation (OCABR) to adopt minimum data protection requirements for persons or entities that own or license residents’ personal information. These standards are recorded in chapter 17 of title 201 of the Code of Massachusetts Regulations (CMR).
Persons and entities subject to the regulations must maintain a “comprehensive information security program” that is “appropriate” for:
- The size, scope and type of business being conducted;
- The amount of resources available to the person/entity;
- The amount of stored data; and
- The need for security and confidentiality of both consumer and employee information.
Notably, the program must include:
- Implementation of a written information security program (WISP);
- Encryption of all personal information, transmitted records, and files; and
- Sufficient monitoring systems and designated staff to maintain data security.
Reporting Requirements in Current Law
In the event of a breach, persons or entities that store, own, or license data containing residents’ personal information must alert state government, then notify and provide support to affected residents.
Sections 3 – 5 of chapter 93H articulate reporting requirements in the event of a breach for entities or individuals in possession of Massachusetts residents’ “personal information” (as previously defined).
Covered persons and entities are required to alert state government if they know or have reason to know of (1) a breach of security or (2) an unauthorized use of residents’ personal information that could cause substantial harm or inconvenience. Importantly, reports to state government must disclose how many residents have been affected, what kind of information has been compromised, and the nature of the breached security system.
Affected Massachusetts residents must be notified of a breach “as soon as practicable and without unreasonable delay” (MGL ch. 93H sec. 3). Notices must acknowledge your right to a police report, provide instructions on authorizing a free security freeze on your accounts, and detail the assistance you are entitled to under law. If the breach exposed your social security number, the notifying person/entity must offer at least 18 months of free credit monitoring services by a third party.
(Note: reporting persons/entities are required to NOT share the number of affected residents or the nature of the breach. Law enforcement may delay notification if doing so would impede an ongoing criminal investigation.)
Enforcement and Consumer Recourse in Current Law
Enforcement of data privacy consumer protections is primarily vested with the Attorney General’s Office (AGO); residents do not currently have a clear path to private legal action.
Chapter 93H does not explicitly contemplate a right to individual or class action lawsuits by residents for violations of its provisions. Consumers may bring suit against a business for an “unfair or deceptive practice” under Massachusetts General Laws chapter 93A. However, this provision of 93A is not explicitly linked to 93H.
Consumers may file a complaint to the Massachusetts Attorney General’s Office (AGO) if they have been affected by a data breach. The role of AGO in processing these complaints is to provide resources to consumers and ensure organizations are complying with their reporting and data security requirements.
The Attorney General’s Office has successfully taken action against businesses that failed to adequately protect consumers from data breaches. Then Attorney General Maura Healey’s 2022 securement of a $16M settlement from Experian and T-Mobile is a notable example.
Legislative Developments
Senators Creem and Lewis have filed “an Act establishing the Data Privacy Protection Act” (S2770). The bill is currently under review by the Senate Ways and Means Committee.
S2770 imposes a number of new safeguards on data collection by private entities that store large amounts of customer information for extended periods of time.
Notably, S2770:
- Prohibits data collection beyond what is necessary for delivering the product or service;
- Imposes new restrictions on collection of sensitive personal information, including medical and location data;
- Prohibits companies from using such sensitive data to inform targeted advertising; and
- Gives consumers the right to sue businesses/organizations that violate the protections created by the Act.
The Joint Committee on Advanced Information Technology, the Internet, and Cybersecurity has favorably reported a cybersecurity and artificial intelligence omnibus bill, “an Act relative to cyber security and artificial intelligence” (S2539). The bill’s focus is on the regulation of artificial intelligence and cybersecurity vulnerabilities more broadly, but it does contain some relevant data privacy components.
Notably, the bill would change resident notice requirements to include more detail about the nature of the breach and what kind of information was compromised. S2539 also expands what kinds of “personal information” are subject to the minimum security and notice requirements under chapter 93H.
“Personal information” would include the following additional forms of data:
- Biometric information;
- Genetic information;
- Geolocation;
- Health data;
- Date of birth;
- Usernames and passwords; and
- Email addresses.
Good to hear there is more work done on this. As someone who has lead employee seminars on identity theft, and maintained compliance with the regulations, I have one suggestion. We really need to implement the features of the California consumer privacy act (CCPA) and the subsequent (CPRA) in Massachusetts.
The right to know about the personal information a business collects about them and how it is used and shared;
The right to delete personal information collected from them (with some exceptions);
The right to opt-out of the sale or sharing of their personal information; and
The right to non-discrimination for exercising their CCPA rights.
—
The right to correct inaccurate personal information that a business has about them; and
The right to limit the use and disclosure of sensitive personal information collected about them.
Hi Richard, appreciate the suggestion. Feel free to reach out at isaac.gibbons@masenate.gov or 774-203-9588 to discuss further.
How about adding telephone number in the additional forms of data.
Also hold data systems in the breach fully liable for the financial losses incurred in the breach, and costs in making them whole again.
Also, as it is common knowledge that practically no one reads ULAs, and that tech is an essential utility to live in this world, it should be against the law for all but the most special/special case ULAs to asks anything of is beyond a common boilerplate that would be agreed upon by the most jealous and conservative guardian of their’s and their family’s personal information.
ULAs would always have been regarded as contracts of adhesion and at minimum construed strictly against the drafter if enforceable to begin with. This ancient protection disappeared with the hiring of lobbyists by big tech.
I concur with previous posters: Mirror MA legislation on European GDPR or CA CPRA, and hold corporations liable without having consumers pay out of pocket to litigate.
There is an inherent conflict of interest in that corporations want as much integrated data on us as possible, and have had little incentive to protect it. When it becomes too expensive for data holders not to use tight security, this may begin to change.
And it’s not just data breaches we need to concern ourselves with. Manipulation of our consumer, personal and electoral preferences need to be reigned in as well. Yet another unchecked excess of the market economy.
Glad to see some focus on this. American consumers get the worst of all worlds: In order to use many services/websites, we are forced to hand over personal information to EULA protected corporations who immediately sell it and insecurely store it. We need our own version of Europe’s GDPR (https://gdpr.eu/what-is-gdpr/) but it’s hard to see that happening when so many of our politicians (unlike you, Will) are in the pocket of these same corporations.
We definitely need more protections and the right to opt out of any of our information being given to others. They also should not be allowed to keep our Social Security numbers. I don’t understand why credit card companies ask for this information and then don’t delete it once verified for their purposes. I have been notified by so many different companies about data breaches it’s ridiculous.