Massachusetts General Laws Chapter 93H - Data Breach Notification Law

Overview

Massachusetts General Laws Chapter 93H, enacted in 2007 and effective since 2010, establishes mandatory data breach notification requirements for any person or business that owns, licenses, stores, or maintains personal information about Massachusetts residents. This law is among the most stringent state data breach notification laws in the United States and works in conjunction with 201 CMR 17.00 to create a comprehensive data security framework.

Who Must Comply

All entities that:

• Own or license personal information about Massachusetts residents


• Store or maintain personal information about Massachusetts residents (even if located outside Massachusetts)


• Conduct business in Massachusetts and handle resident data


• Are third-party service providers handling MA resident data on behalf of others

This applies regardless of the entity's location - if you handle personal information of Massachusetts residents, you must comply.

Key Requirements

1. Breach Notification to Individuals

When a breach of security occurs involving personal information, entities must provide notice to:

Massachusetts Residents:

• Notice must be provided "as soon as practicable and without unreasonable delay"


• Notice must be provided when personal information was, or is reasonably believed to have been, acquired or used by an unauthorized person


• Notice can be provided by:

- Written notice to the resident's last known address
- Electronic notice (if consistent with E-SIGN Act provisions)
- Telephone notice (if documented and confirmed)

Substitute Notice (if contact information unavailable):

• Email notice if email address is available


• Conspicuous posting on the entity's website


• Notification to major statewide media

2. Notification to Regulatory Authorities

Massachusetts Attorney General:

• Must be notified simultaneously with resident notification


• Notification should include:

- Nature of the breach
- Number of Massachusetts residents affected
- Steps taken to remediate the breach
- Contact information for further inquiries

Director of Consumer Affairs and Business Regulation:

• Must also receive simultaneous notification


• Same information requirements as Attorney General notification

3. Notification to Consumer Reporting Agencies

If the breach affects more than 1,000 Massachusetts residents:

• Must notify consumer reporting agencies


• Notification without unreasonable delay


• Must include timing, distribution, and content of notices sent to residents

What Constitutes Personal Information

Under M.G.L. c. 93H, "personal information" means:

A Massachusetts resident's:

• First name and last name (or first initial and last name) in combination with:

- Social Security number
- Driver's license number or state-issued ID number
- Financial account number, credit card number, or debit card number (with or without security code, access code, PIN, or password that would permit access to the account)

Key Distinctions:

• Information must be unencrypted (encrypted data generally exempt from notification)


• Username or email address in combination with password/security question allowing access to an online account is also considered personal information


• Information that is encrypted, secured, or modified to make it unreadable or unusable is exempt

Breach of Security Definition

A "breach of security" means:

• Unauthorized acquisition or use of unencrypted data


• Acquisition or use that compromises the security, confidentiality, or integrity of personal information


• Good faith acquisition by an employee or agent does not constitute a breach if the information is not used or subject to further unauthorized disclosure

Notification Timeline

"As Soon as Practicable and Without Unreasonable Delay":

• No specific timeframe defined in statute


• Massachusetts courts and regulators interpret this strictly


• Best practice: notification within 30 days of discovery


• Delay only permitted if law enforcement determines notification will impede investigation


• Must document reasons for any delay

Contents of Notification

Notice to affected individuals must include:

1. Description of the incident in general terms


2. Type of personal information that was subject to the breach


3. General acts taken to protect personal information from further breach


4. Telephone number for further information and assistance


5. Reminder to remain vigilant by reviewing account statements and monitoring credit reports


6. Toll-free contact numbers for major consumer reporting agencies


7. Information about placing fraud alerts or security freezes on credit files

Relationship to 201 CMR 17.00

M.G.L. c. 93H works in conjunction with 201 CMR 17.00:

• 201 CMR 17.00 establishes preventive security requirements


• M.G.L. c. 93H establishes notification requirements after a breach occurs


• Compliance with 201 CMR 17.00 does not eliminate the need to comply with M.G.L. c. 93H


• Both regulations apply to personal information of Massachusetts residents

Penalties and Enforcement

Civil Penalties:

• Violations constitute unfair or deceptive trade practices under M.G.L. c. 93A


• Attorney General can seek injunctive relief and civil penalties


• Private right of action may exist under c. 93A for affected individuals


• Penalties can be up to $5,000 per violation

Reputational Damage:

• Public disclosure of breach required


• Media coverage of large breaches


• Loss of customer trust and business impact

Best Practices for Compliance

1. Incident Response Plan

• Maintain a written incident response plan


• Define roles and responsibilities


• Include notification templates and procedures


• Test the plan regularly

2. Breach Detection and Assessment

• Implement monitoring and detection systems


• Conduct thorough investigation when breach suspected


• Document all findings and decision-making


• Engage legal counsel early in the process

3. Notification Preparation

• Maintain current contact information for residents


• Have pre-approved notification templates


• Establish relationships with credit monitoring services


• Prepare communications strategy for media inquiries

4. Documentation

• Document discovery date and circumstances


• Maintain records of investigation


• Document notification decisions and timing


• Retain copies of all notifications sent


• Keep records of regulatory notifications

5. Preventive Measures

• Implement comprehensive security program per 201 CMR 17.00


• Conduct regular security assessments


• Train employees on data security


• Encrypt personal information


• Limit data collection and retention

Common Compliance Challenges

Challenge 1: Determining if a Breach Occurred

Solution:

• Conduct thorough forensic investigation


• Consult with cybersecurity experts


• Document analysis and conclusions


• When in doubt, lean toward notification

Challenge 2: Identifying Affected Massachusetts Residents

Solution:

• Maintain accurate geographic data


• Review all potentially affected records


• Implement data classification systems


• Consider over-inclusive approach to be safe

Challenge 3: Meeting Notification Timelines

Solution:

• Activate incident response plan immediately


• Dedicate sufficient resources to investigation


• Prepare notification materials in advance


• Balance speed with accuracy

Challenge 4: Coordinating Multi-State Notifications

Solution:

• Understand MA requirements are among the strictest


• Use MA standards as baseline for all notifications


• Engage legal counsel familiar with multi-state compliance


• Consider federal standards (e.g., HIPAA) if applicable

Recent Developments and Trends

Increased Enforcement:

• Massachusetts Attorney General has increased enforcement actions


• Settlements often include significant financial penalties


• Consent decrees may require specific security improvements

Expanded Definition of Personal Information:

• Growing recognition of biometric data risks


• Username/password combinations now explicitly covered


• Online account credentials treated as personal information

Coordination with Other Laws:

• GDPR requirements for EU residents


• CCPA/CPRA requirements for California residents


• Federal sector-specific laws (HIPAA, GLBA)


• Potential federal privacy legislation

Integration with Cybersecurity Program

M.G.L. c. 93H should be integrated into your overall cybersecurity program:

1. Prevention (201 CMR 17.00):

- Implement required security controls
- Conduct regular risk assessments
- Train workforce on security practices

1. Detection:

- Deploy monitoring and alerting systems
- Conduct regular security audits
- Implement incident detection procedures

1. Response (M.G.L. c. 93H):

- Activate incident response plan
- Conduct investigation and containment
- Perform notification obligations

1. Recovery:

- Implement remediation measures
- Conduct lessons learned analysis
- Update security controls and procedures

Resources and Official Sources

Official Statute:

• Massachusetts General Laws Chapter 93H


• Available at: https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H

Regulatory Guidance:

• Massachusetts Attorney General's Office guidance on data security


• Office of Consumer Affairs and Business Regulation guidance

Notification Addresses:

• Attorney General: data breach notification via online form or mail


• Director of Consumer Affairs: Office of Consumer Affairs and Business Regulation

Key Takeaways for Massachusetts Companies

1. M.G.L. c. 93H applies to all entities handling MA resident data, regardless of location


2. Notification must be prompt - "as soon as practicable and without unreasonable delay"


3. Multiple parties must be notified - residents, AG, Director, and potentially credit bureaus


4. Documentation is critical - maintain records of breach discovery, investigation, and notifications


5. Prevention is better than notification - implement 201 CMR 17.00 security controls


6. Encrypted data is generally exempt - encryption is your best defense


7. Penalties can be severe - up to $5,000 per violation plus reputation damage


8. Integration is essential - M.G.L. c. 93H must be part of comprehensive security program

Compliance Checklist

• [ ] Incident response plan includes M.G.L. c. 93H notification procedures


• [ ] Breach detection and monitoring systems in place


• [ ] Forensic investigation procedures established


• [ ] Notification templates prepared and legally reviewed


• [ ] Contact information for residents maintained and current


• [ ] Attorney General and Director notification procedures documented


• [ ] Credit monitoring service vendors identified


• [ ] Employee training on breach response procedures


• [ ] Documentation procedures for breach investigation


• [ ] Legal counsel identified for breach response


• [ ] Media relations strategy prepared


• [ ] Regular testing of incident response plan


• [ ] Integration with 201 CMR 17.00 security program