- Massachusetts businesses and organizations that need to complete the data breach notification process will now be able to do so through an online data breach reporting tool.
Massachusetts Attorney General Maura Healey explained in a statement that entities can report information through the online portal rather than submitting a hard copy notice.
“Data breaches are damaging, costly and put Massachusetts residents at risk of identity theft and financial fraud – so it’s vital that businesses come forward quickly after a breach to inform consumers and law enforcement,” Healey said. “This new feature allows businesses to more efficiently report data breaches so we can take action and share information with the public.”
Massachusetts law requires that affected residents, the Office of Consumer Affairs and Business Regulation (OCABR), and the AG’s Office be notified if personal information is accidentally or intentionally compromised.
Personal information is a resident's first name and last name or first initial and last name in combination with one or more of the following:
- Social Security number
- Driver's license number or state-issued identification card number
- Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account
An incident is also considered a data breach only if unencrypted data or encrypted electronic data and its accompanying key or confidential process are compromised. Massachusetts law also states that encrypted data is that “transformation of data through the use of a 128-bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, unless further defined by regulation of the department of consumer affairs and business regulation.”
“Data breaches may occur due to intentional hacking or because of human error, such as sending an e-mail to the wrong person or losing a laptop,” the AG’s office maintained. “Institutions experiencing data breaches range from the largest, most sophisticated institutions in the state to small businesses with only one or two employees. While many breaches affect a relatively small number of consumers, many entities have experienced data breaches affecting large numbers of consumers.”
Prompt data breach notification is essential for consumers because they need to be able to properly defend themselves against potential attacks. Unauthorized credit card use or identity theft can be very damaging to consumers, according to the Massachusetts AG’s office.
Healey filed the first enforcement action against Equifax after the company experienced a large-scale data breach in 2017.
Equifax did not maintain appropriate safeguards to keep sensitive consumer data secure, the complaint said.
“We allege that Equifax knew about the vulnerabilities in its system for months, but utterly failed to keep the personal information of nearly three million Massachusetts residents safe from hackers,” Healey said in a September 2017 statement. “We are suing because Equifax needs to pay for its mistakes, make our residents whole, and fix the problem so it never happens again.”
The Equifax data breach pushed numerous states to made adjustments to their data breach laws, including expanding the definition of personal information and requiring data encryption. Shortening the notification period was also included in some proposed legislation.
For example, Virginia Rep. Kelly Convirs-Fowler introduced the Virginia Consumer Protection Act (HB1588) in January 2018, which would require consumer reporting agencies to disclose a breach of security of a computerized data system within 15 days.
Virginia lawmakers will also review a study conducted by the Joint Commission on Technology and Science was proposed to “evaluate and compare the various methods used by localities to report unauthorized breaches of personal information to the Office of the Attorney General and affected residents of the Commonwealth.”
The study would “identify one or more methods of reporting, such as through a central portal system, that promote the efficient and timely reporting of information breaches” and “develop a list of best practices, processes, and resources that localities can use for cyber security remediation assistance and to report unauthorized information breaches.”
Massachusetts has been working toward improving its overall approach to improved data breach awareness within the past year. In addition to a new reporting tool, the Commonwealth’s Office of Consumer Affairs and Business Regulation made its online Data Breach Notification Archive available to the public in 2017.
Following the update of its public record’s law, Massachusetts’ Data Breach Notification Archive was made easily accessible to increase transparency, Consumer Affairs Undersecretary John Chapman said in a statement.
The changes were first introduced in 2015, with Governor Charlie Baker saying at the time that it was an “important step towards increasing the public’s access to information and shedding further light on the government that their tax dollars fund.”
“These new measures reduce costs and make the public records request process more uniform and timely, increasing government’s public accountability, openness and transparency,” Baker stated.