08/19/2020

What Is the Massachusetts Data Breach Notification Law?

What Is the Massachusetts Data Breach Notification Law?

Does your business manage the personal data of Massachusetts residents? If so, you’re subject to the Massachusetts Data Breach Notification Law, which we explored in detail during a recent webinar. In case you missed the webinar, you can watch it here.

The Massachusetts Data Breach Notification Law took effect last year. It ups the game for businesses that manage the personal data of Massachusetts residents. In fact, the law requires these businesses to:

1. Notify Massachusetts Residents About a Data Breach (or a Potential Data Breach)

In the event of a data breach or possible data breach, businesses that own or license the personal information of Massachusetts residents must notify:

  • The state’s Office of Consumer Affairs and Business Regulation and the Office of Attorney General 
  • Affected stakeholders 
  • Any consumers whose personal information may be at risk

Ultimately, the Massachusetts Data Breach Notification Law encourages businesses to protect the personal data of state residents in any way possible. The benefits of doing so are twofold. Firstly, businesses that safeguard Massachusetts residents’ data against cyber attacks can avoid the potential revenue losses and brand reputation damage associated with a data breach (or a possible data breach). Secondly, these businesses can comply with the Massachusetts Data Breach Notification Law. Therefore, avoiding further revenue losses and brand reputation damage due to non-compliance penalties. 

2. Develop and Implement a Comprehensive Written Information Security Program (WISP)

The State of Massachusetts requires businesses to create, implement, and maintain a comprehensive WISP. Or, in the event of a data breach, a business must develop or review a risk-based WISP. In either scenario, a comprehensive WISP must account for:

  • Business size
  • Nature of the business
  • Amount of resources available to a business
  • Records that a business maintains
  • Business’ need for security

The State of Massachusetts offers a checklist that your business can use to ensure its WISP complies with state requirements. Of course, if your business handles the personal data of Massachusetts residents, it still needs to plan ahead for cyber attacks. This is regardless of whether it has already developed and implemented a comprehensive WISP. By working with an expert cyber security services and solutions provider like TSP, any business can create a WISP that complies with the Massachusetts Data Breach Notification Law and minimizes the risk of data breaches.

At TSP, we take the time to learn about new state, federal, and international data security laws. We help businesses analyze their systems and data and figure out which data security laws apply to them. Next, we enable businesses to implement risk-based programs to comply with data security laws and limit the risk of data breaches. That way, your business can follow the letter of the law and keep its systems and data safe against cyber attacks. 

3. Send a Notification Letter to Massachusetts Consumers Affected by a Data Breach

If your business experiences a data breach, you must notify affected consumers. Even if the total number of state residents impacted by the incident has not yet been determined. The data breach notifications must be sent or updated on a rolling and continuous basis. They must be posted on the Massachusetts Office of Consumer Affairs and Business Regulation’s website.

The State of Massachusetts requires a data breach notice sent to affected consumers to include the following:

  • A detailed description of the nature and circumstances of the data breach
  • Number of Massachusetts residents affected as of the notice date
  • Steps taken to resolve the data breach
  • Any additional steps that will be taken to resolve the data breach
  • Information about: 
    • Whether law enforcement officials are investigating the data breach
    • A consumer’s right to obtain a police report 
    • How to request a security freeze at no charge 
    • Complimentary credit monitoring services 
    • Name of the parent organization and subsidiary organizations affected by the data breach

A data breach notification is a message that no business wants to send to its customers. Thankfully, TSP helps businesses avoid data breaches — and the embarrassment that goes along with notifying customers. 

What Is the Massachusetts Data Breach Notification Law?

TSP provides expert insights into cyber security preparedness. We help businesses find the right cyber security services and solutions to keep pace with all types of cyber threats — from ransomware to botnets to phishing scams to viruses. Plus, we provide cyber security training and tutorials to ensure that businesses can teach their employees how to proactively combat cyber attacks.


Upgrade Your Security Posture with TSP

TSP IT Services is happy to help businesses find ways to comply with new data security laws and explore ways to enhance their security posture. To learn more, please email us at business@tsp.me or call us at 617-267-9716.