Massachusetts Attorney General Launches New Data Security Breach Reporting Portal
The Massachusetts Attorney General’s Office (“AGO”) recently launched an online portal making it easier for organizations to report data security breaches. This new portal provides employers and other organizations with an avenue for notifying the AGO electronically of a data security breach. Use of the portal is voluntary, and organizations are free to provide hard copy notice of a breach if they prefer.
Organizations should bear in mind that use of the new portal satisfies only the AGO’s notice requirement. A data security breach will still need to be reported separately to the Director of the Office of Consumer Affairs and Business Regulation (“OCABR”) and the affected Massachusetts resident.
Overview Of Massachusetts Data Security Law
Massachusetts’s data security law, enacted in 2007 after a series of high-profile data breaches, imposes significant obligations on entities possessing “personal information” about residents of the Commonwealth, including notice requirements in the event of a data security breach. The law applies to any person or organization that owns, licenses, stores, or maintains personal information about a Massachusetts resident. Public and private Massachusetts employers in possession of personal information are covered, regardless of size.
The statute requires organizations to protect against data security breaches, and governs what they must do if a breach occurs. Under the law, a covered entity must provide written notice of a data security breach “as soon as practicable and without reasonable delay” to: (1) the AGO; (2) OCABR; and 3) the affected Massachusetts resident. This reporting obligation is triggered as soon as the entity knows or has reason to know that a breach has occurred, or that personal information was acquired without authorization.
“Personal information” is defined as "a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password that would permit access to a resident's financial account." For most employers, personal information is maintained by the Human Resources Departments.
Under the data security law, a “breach” includes a breach of security or the unauthorized acquisition or use of data (or the confidential process or key for accessing data), which is “capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the [C]ommonwealth...”
The data security law protects Massachusetts residents’ personal information both in and out of state. Thus, entities operating in other states are covered by the law if they possess personal information of Massachusetts citizens.
Other Employer Obligations Under The Law
All Massachusetts employers are required to have a comprehensive Written Information Security Program (or “WISP”) establishing written safeguards for the protection of personal information within the organization. A WISP must include basic standards for how employees are expected to safeguard personal information, as well as information on how the employer will respond to a data breach. Employers must also designate one or more employees to be in charge of maintaining the organization’s security program.
Other obligations for employers include regularly assessing internal and external risks; developing security policies relating to storage, access, and transportation of records containing personal information; regularly conducting employee trainings; imposing disciplinary measures for WISP violations; taking steps to prevent terminated employees from accessing or retaining records containing personal information; and overseeing third-party vendors and service providers to ensure that appropriate security measures for personal information are in place.
Steps For Organizations To Ensure Legal Compliance
We suggest that employers and other organizations that are uncertain whether they are in full compliance with the Massachusetts data security law take the following steps:
- Review your organization’s WISP and employee handbook. Are all necessary policies in place? Has your organization appointed a data security coordinator?
- Evaluate the types of personal information your organization possesses, who has access to it, and all the different places where personal information may be stored. Are employees being trained on data security on an ongoing basis? Are appropriate storage protections in place?
- Assess your organization’s risk factors, and consider the ways you can help to minimize potential breaches within your organization.
* * *
If you have questions about the Massachusetts data security law or any related issues, please feel free to contact one of our experienced employment lawyers.