Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Third Party: Specific Obligations
  • Third Party: Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach and notification laws:
- up to $5,000 per violation

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Third Party Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Breach reporting must be made as soon as practicable and without unreasonable delay to the Attorney General and the Director of Consumer Affairs and Business Regulation. Additional reporting may be required to the consumer reporting agencies and state agencies identified by the Director of Consumer Affairs and Business Regulation.
  • Specific information must be included in the consumer notification.
  • For violations of the breach notification requirements, the Attorney General may bring action with fines up to $5,000, and up to $10,000 for continued violations.
  • Comprehensive laws also cover data disposal and record retention.
  • The Attorney General may file a civil action in the superior or district court in the name of the commonwealth to recover penalties for violations involving improper disposal of personal information.
  • Due to the extensive data protection requirements, data owners should also be prepared to demonstrate data protection compliance.
  • For violations of data disposal laws, a civil fine up to $100 per data subject affected, up to $50,000, can be assessed for each instance of improper disposal.
  • Separate laws govern specific industries, including insurance, financial, and student data.
  • If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • Mass. Gen. Laws Ch. 93H §§ 1-6 Security Breaches
  • 201 CMR 17.00 §§ 17.01-17.05 Standards for the Protection of Personal Information of Residents of the Commonwealth
  • Mass. Gen. Laws Ch. 93I §§ 1-3 Disposition and Destruction of Records
  • Mass. Gen. Laws Ch. 175I Insurance Information and Privacy Protection
  • Mass. Gen. Laws Ch. 167 Supervision of Banks
  • Mass. Gen. Laws Ch. 167A Bank Holding Companies
  • Mass. Gen. Laws Ch. 111 Public Health
  • Mass. Gen. Laws Ch. 71 Public Schools
  • 603 CMR 23.00 Student Records
BAck to map