Mandated Timeframe for Breach Reporting and/or Consumer Notification
Without unreasonable delay
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection/Security
Third Party: Specific Obligations
Third Party: Mandated Contracts
Requests for Information
Fines & Penalties
Violations of breach and notification laws up to $5,000 per violation
Third Party Management
None to minimal
Breach reporting must be made as soon as practicable and without unreasonable delay to the Attorney General and the Director of Consumer Affairs and Business Regulation. Additional reporting may be required to the consumer reporting agencies and state agencies identified by the Director of Consumer Affairs and Business Regulation.
Specific information must be included in the consumer notification.
For violations of the breach notification requirements, the Attorney General may bring action with fines up to $5,000, and up to $10,000 for continued violations.
Comprehensive laws also cover data disposal and record retention.
The Attorney General may file a civil action in the superior or district court in the name of the commonwealth to recover penalties for violations involving improper disposal of personal information.
Due to the extensive data protection requirements, data owners should also be prepared to demonstrate data protection compliance.
For violations of data disposal laws, a civil fine up to $100 per data subject affected, up to $50,000, can be assessed for each instance of improper disposal.
Separate laws govern specific industries, including insurance, financial, and student data.
If vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
Mass. Gen. Laws Ch. 93H §§ 1-6 Security Breaches (2010)
201 CMR 17.00 §§ 17.01-17.05 Standards for the Protection of Personal Information of Residents of the Commonwealth (2010)
Mass. Gen. Laws Ch. 93I §§ 1-3 Disposition and Destruction of Records
Mass. Gen. Laws Ch. 175I Insurance Information and Privacy Protection