- As part of the recently updated Massachusetts Public Records Law, the state’s Office of Consumer Affairs and Business Regulation made its online Data Breach Notification Archive available to the public.
Governor Charlie Baker signed the amended legislation in June 2016. One of the changes required certain public records to be made available online.
The Data Breach Notification Archive is a public record that the public and media have every right to view,” Consumer Affairs Undersecretary John Chapman said in a statement. “Making it easily accessible by putting it online is not only in keeping with the guidelines suggested in the new Public Records law, but also with Governor Baker’s commitment to greater transparency throughout the Executive Office.”
Under the updated law, Chapter 93H, any entity that maintains a state resident’s personal information to must notify the affected residents, the Office of Consumer Affairs and Business Regulation, and the Attorney General’s Office anytime personal information is accidentally or intentionally compromised.
“The unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth,” is considered a security breach, according to the law.
It is not considered a data breach if “a good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency.”
It is also important to note that a resident's first name and last name, or first initial and last name in combination with any one or more of the following are considered “personal information”:
- Social Security number
- driver's license number or state-issued identification card number
- financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account
Health insurance information or medical data are not currently included in the type of personal information that would necessarily require a data breach notification under that state law.
Improving government transparency and overall communication with the public were major factors behind the public records law being updated.
“We are proud to undertake this important step towards increasing the public’s access to information and shedding further light on the government that their tax dollars fund,” Baker said in a statement when the changes were first introduced in 2015. “These new measures reduce costs and make the public records request process more uniform and timely, increasing government’s public accountability, openness and transparency.”
Several states have updated their data breach notification laws in the past couple of years, with some accounting for PHI.
For example, Illinois revised its Personal Information Privacy Act in 2016, including health insurance and medical information under its definition of “personal information.”
Medical information includes “an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional, including such information provided to a website or mobile application.”
Essentially, organizations would eventually be required to report data breaches if they involve an individual’s first name or initial and last name in combination with specific healthcare data.
The amendments also expanded the definition of protected personal information to include unique biometric data, such as fingerprint, retina, and iris images, as well as user names or email addresses in conjunction with passwords or security question answers.