The Massachusetts Office of Consumer Affairs and Business Regulation has published an archive of yearly data breaches, which provides data breach statistics collected by the office from 2007 to the present. These statistics clearly show that data breaches are on the rise in Massachusetts. Since 2007, in which there were 30 breach notifications, Massachusetts has seen an increase of 620% in the number of data breach notifications in that state.

A close analysis shows that the vast majority of these breaches are electronic in nature and primarily target banks with customers within the state of Massachusetts. The new archive includes information on whether driver’s license, Social Security, credit, or debit card numbers were taken, whether the data breached was encrypted, whether a mobile phone was stolen, and the relief that was offered to the affected individuals, such as payment or credit monitoring.

It will be interesting to see how consumer advocacy groups and attorneys use this information and whether fear of being listed in the archive will provide companies with an incentive to provide better data protection and security. If you or your business has been the victim of a data breach, contact one of our attorneys today.

Massachusetts Data Breach Law: A Detailed Overview

Massachusetts has one of the most comprehensive data breach and data security legal frameworks in the country, and it applies to any business that owns, licenses, stores, or maintains personal information about Massachusetts residents — regardless of where the business itself is located. Understanding this framework is essential for any company that touches Massachusetts consumer data.

The Massachusetts Data Breach Notification Statute: M.G.L. c. 93H

Massachusetts General Laws Chapter 93H requires any person or entity that maintains personal information about Massachusetts residents to notify affected residents following a security breach of unencrypted personal information. Under M.G.L. c. 93H § 1, “personal information” is defined as a Massachusetts resident’s first name and last name or first initial and last name in combination with any of the following: Social Security number; driver’s license number or state-issued identification card number; financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number, or password that would permit access to a resident’s financial account.

Notification to affected Massachusetts residents must be provided as soon as reasonably possible following the discovery or notification of a breach. The notification must also be provided to the Massachusetts Attorney General and to the Director of Consumer Affairs and Business Regulation. This dual-notification requirement — to both the AG and the Consumer Affairs office — is distinctive to Massachusetts and is the mechanism that generates the archive discussed above. The Massachusetts AG has authority to bring civil enforcement actions against businesses that fail to comply with Chapter 93H, and civil penalties can reach $5,000 per violation.

201 CMR 17.00: The Massachusetts Data Security Regulations

Massachusetts is one of the few states that goes beyond breach notification to mandate affirmative data security obligations. 201 CMR 17.00 requires every business that owns, licenses, stores, or maintains personal information about Massachusetts residents to develop, implement, and maintain a comprehensive written information security program (WISP). The WISP must be reasonably consistent with industry best practices for data protection, must include administrative, technical, and physical safeguards, and must specifically address:

• Designation of an employee or employees to maintain the WISP.
• Identifying and assessing reasonably foreseeable internal and external risks to personal information security.
• Implementing and monitoring safeguards to address identified risks.
• Imposing disciplinary measures for violations of the WISP.
• Preventing terminated employees from accessing personal information.
• Overseeing service providers through contractual requirements that the provider also maintains appropriate security measures.

Technical requirements under 201 CMR 17.00 include secure user authentication protocols, secure access control measures, encryption of personal information transmitted over public networks or stored on laptops and mobile devices, reasonable monitoring for unauthorized use, up-to-date firewall and malware protection, and employee training on proper use of the computer security system and the importance of data security.

What the Massachusetts Breach Archive Reveals

The Massachusetts breach archive published by the Office of Consumer Affairs and Business Regulation is a valuable tool for businesses assessing their risk profile, for researchers studying breach trends, and for policymakers evaluating whether existing legal frameworks are adequate. The archive’s granularity — tracking whether breached data was encrypted, what types of identifiers were exposed, and what remediation was offered — enables analysis that aggregate statistics alone cannot support.

The 620% increase in breach notifications from 2007 to the period in which this archive was published reflects multiple converging factors: an increase in actual breach incidents, an increase in enforcement and awareness that leads to higher reporting rates, and a broadening of the types of incidents that qualify as reportable breaches. The shift from paper-based breaches (lost laptops, misfiled documents) toward electronic intrusions targeting financial institutions reflects the broader migration of sensitive data to digital and cloud platforms.

Practical Steps for Massachusetts Compliance

Any business that holds personal information of Massachusetts residents — including out-of-state businesses with Massachusetts customers — should take the following steps to ensure compliance with Chapter 93H and 201 CMR 17.00:

• Develop and maintain a comprehensive written information security program (WISP) that meets the specific requirements of 201 CMR 17.00.
• Encrypt all personal information of Massachusetts residents stored on laptops, mobile devices, and transmitted over public networks.
• Review and update service provider contracts to include data security obligations compliant with 201 CMR 17.00.
• Develop a breach response plan that includes the specific dual-notification requirement to the Massachusetts AG and the Director of Consumer Affairs and Business Regulation.
• Conduct annual employee training on data security obligations under the WISP.

The data security and privacy attorneys at Revision Legal assist businesses with Massachusetts data breach compliance, WISP development, breach notification, and defense of regulatory enforcement actions. If your business has experienced a breach affecting Massachusetts residents, or if you want to assess your compliance with 201 CMR 17.00, contact us using the form on this page or call us at 855-473-8474.

How Massachusetts Compares to Other States — and What Businesses Must Do

Massachusetts’s combination of mandatory breach notification under Chapter 93H and affirmative data security obligations under 201 CMR 17.00 makes it one of the most demanding data security legal regimes in the country. Unlike the majority of states that require only breach notification, Massachusetts requires every business handling its residents’ personal information to affirmatively implement and maintain a written information security program — regardless of whether a breach has ever occurred.

For out-of-state businesses, this requirement is often a surprise. A technology company headquartered in Texas that sells software to Massachusetts businesses and holds the personal information of those businesses’ Massachusetts employees is subject to 201 CMR 17.00’s WISP requirement, even if the Texas company has no physical presence in Massachusetts. The reach of Massachusetts data security law extends wherever Massachusetts residents’ personal information travels.

The practical upshot is that any business operating at meaningful scale in the United States almost certainly has obligations under Massachusetts law. The Massachusetts AG’s enforcement record — including enforcement against out-of-state companies — makes compliance a genuine priority rather than a theoretical concern. Revision Legal assists businesses in developing WISP programs, auditing existing data security practices, and managing Massachusetts breach notification compliance. Contact us using the form on this page or call us at 855-473-8474.