Massachusetts Data Breach Notification Law Update

Massachusetts has strengthened its data breach notification regulations to better protect the personal information of Massachusetts residents and address delays businesses have made in the past when it comes to reporting incidents. If your business stores personal information on Massachusetts residents, these updates apply to you.

Once a business has acknowledged that personal information may have been compromised, the Office of the Massachusetts Attorney General and the Office of Consumer Affairs and Business Regulation must be notified promptly and without delay.

What Does This Mean for Your Business?

This regulation affects any business that holds personal information, also referred to as PI, on any Massachusetts resident. The law defines PI as a resident's first and last name, or first initial and last name, in combination with at least 1 of the following:

• Social security numbers
• Driver's License / State ID numbers
• Bank account information
• Debit / Credit Card details

When notifying the Massachusetts Attorney General's Office and the Office of Consumer Affairs and Business Regulation of the breach, businesses must provide the following:

• A detailed description of the breach
• Number of residents affected
• Steps the business has made in response
• Planned next steps
• Whether law enforcement should be notified
• Whether a third-party entity was involved

It is also worth noting that notifications must be sent to affected individuals on a rolling basis. Businesses cannot wait until confirmation of the number of affected residents before beginning outreach.

What is a WISP?

Beyond the updated requirements for notification, Massachusetts also requires businesses to develop, implement, and maintain a Written Information Security Program, commonly known as a WISP. A WISP is defined as a documented plan that outlines how your business collects, stores, and protects personal information, while also outlining steps to be taken in the event of a breach.

While core WISP requirements are consistent across businesses, each should take into account business size, nature of their business, the amount of resources, and types of records the business maintains. In the event of a breach, along with the information provided above, businesses must also disclose whether they have a WISP in place. 

If you would like to learn more about WISP requirements, you can view the comprehensive compliance checklist has been compiled to help you develop a strategy to evaluate your current security environment, identify potential gaps, or address questions or concerns you may have:

Where To Go from Here

Businesses that fail to comply with these updated regulations can face financial penalties, legal consequences, and possibly reputational damage. If you are unsure where your cybersecurity stands, or if it complies with state regulations, the time to act is now. Reach out if you would like to discuss any of your questions or concerns. 

AdvanTech can help you identify any gaps you may have and implement a comprehensive strategic plan to ensure your business is compliant and secure. The time for waiting and guessing has long passed, gain confidence in your security environment and reach out to our team today!