On January 3, 2017, the Massachusetts Office of Consumer Affairs and Business Regulation announced the online public availability of data breach notification records that it receives and maintains pursuant to the Massachusetts Data Security Law (M.G.L. c.93H), which were previously only available through a public records request.
Under the Massachusetts Data Security Law, entities that keep personal information of Massachusetts residents are required to notify affected residents, in addition to the Massachusetts Office of Consumer Affairs and Business Regulation and the Massachusetts Attorney General, in the event of a breach of security or unauthorized acquisition or use of residents’ personal information. “Personal information” under the Massachusetts Data Security Law is defined as “a resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that ‘Personal information’ shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.”
Information available through the online Data Breach Notification Archive dates back to 2007, when the Massachusetts Data Security Law first became effective, and includes information on reported data breaches such as the reporting organization’s name, the breach type (electronic or paper), the number of Massachusetts residents affected, and an indication of the types of personal information breached (such as social security numbers, account numbers, driver’s license numbers).