Massachusetts
Quick Facts
Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: As soon as practicable and
without unreasonable delay
Government Notification Required: Yes
Scope of this Summary:
Notification requirements applicable to persons and businesses, that own, license, maintain, or store covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Notification not required if the breach does not create a substantial risk of identity theft or fraud against a resident.
Breach Defined
Unauthorized acquisition or use of covered info that creates a substantial risk of identity theft or fraud against a resident, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted, so long as encryption key was not compromised.
Form of Covered Info
Electronic or Paper
Covered Information
A Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements:
Social Security number.
- Driver's license number or state-issued identification card number.
- Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account.
Consumer Notice Timing
Must be made as soon as practicable and without unreasonable delay when covered entity knows or has reason to know a breach or other unauthorized acquisition or use of covered info has occurred.
Consumer Notice Method
By written notice or electronic notice (if consistent with E-SIGN and Mass. Gen Laws ch 110G). Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
The notification shall include but not be limited to:
- The consumer's right to obtain a police report.
- How to request a security freeze and the necessary information to be provided when requesting the security freeze.
- That there shall be no charge for a security freeze.
- Mitigation services to be provided.
- The notification shall not include the nature of the breach or unauthorized acquisition or use or the number of affected residents.
Delayed Notice
Notification may be delayed if law enforcement determines notice may impede a criminal investigation and notifies the Attorney General in writing. The entity must cooperate with law enforcement, including sharing information relevant to the incident.
Government Notice
Must notify the Attorney General and the Director of the Office of Consumer Affairs and Business Regulation as soon as practicable and without unreasonable delay. Notice must include the nature of the incident, the number of residents affected, and any steps the entity has taken or plans to take relating to the incident.
Consumer Reporting Agency Notice
Covered entity must notify any consumer reporting agency identified by the Director of Consumer Affairs and Business Regulation. The notice to Consumer Reporting Agencies must include the same information required in notices to the attorney general and other governmental or regulatory agencies.
Exceptions for Other Laws
Under the statute, covered entities that maintain and comply with breach response procedures under federal laws, rules, regulations, guidance, or guidelines will be deemed in compliance with the statute if they notify: Massachusetts residents of the breach; the attorney general and Director of the Office of Consumer Affairs and Business Regulation as soon as practicable and without unreasonable delay of the breach; and
any steps the entity has taken or plans to take relating to the breach under the applicable federal law, rule, regulation, guidance, or guidelines.
Third-Party Notice
If you maintain covered info on behalf of another entity, you must notify it as soon as practicable and without unreasonable delay when you know or have reason to know of a breach or other unauthorized acquisition or use of covered info. Must also cooperate with owner or licensor of the covered info (including specific disclosure obligations).
Private Right of Action
*The Massachusetts statute does not explicitly provide for a private right of action, but individuals may have a private right of action for a Chapter 93H violation by enforcing the statute through Chapter 93A (see Portier v. NEO Tech. Sols., 2019 WL 7946103, at *26-*28 (D. Mass. 2019)).
Potential Penalties
Violations may result in civil penalties.
This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.
Last revised on June 15, 2023