Massachusetts Data Breach Notification Archive Now Available Online

The Office of Consumer Affairs and Business Regulation of the state of Massachusetts has taken a major step toward improving transparency by making its data breach notification archive available to the public. Previously, members of the public were permitted to view the breach reports, but only by submitting a public records request. Now all breach notifications made to the state’s Office of Consumer Affairs and Business Regulation can be viewed online.

The Massachusetts Data Breach Notification Archive can be viewed and downloaded in PDF form, with the identity theft report detailing the date the incident was reported, the organization affected, breach type, number of residents impacted, types of sensitive data exposed (SSNs, Driver’s license numbers, financial information, credit/debit card numbers), and whether credit monitoring services have been offered to breach victims. The reports include breaches of both physical records and electronic personal information from 2007. The report for 2016 currently includes 1,865 breach summaries.

State law (Chapter 93H) requires all entities that maintain a record of any personal information of residents of the state of Massachusetts to issue breach notifications to individuals if their personal information is “acquired or used by an unauthorized person or for an unauthorized purpose.” Breaches of encrypted data are not reportable unless a key to unlock the data is also compromised. Breaches must also be reported to the state attorney general and the Office of Consumer Affairs and Business Regulation.

State law covers accidental and deliberate breaches including, but not limited to, loss and theft of electronic data or papers, hacking incidents, insider errors, and unintentional data leakage.

In the state of Massachusetts, personal information is classed as a state resident’s first and last name or initial and last name in combination with any of the following data elements:

  • Social Security number
  • Driver’s license number
  • State-issued ID number
  • Financial account number
  • Credit or debit card number (with or without a CVV/CVC code
  • Personal ID number and/or password that would allow a financial account to be accessed

Breach notifications are not required if data elements are lawfully obtained from publicly available information or federal, state, or local records that are available to the general public.

Breaches of medical information are not included in the state’s definition of personal information as is the case in a number of other states, although such information is covered under HIPAA Rules and breach notification letters would need to be issued to affected individuals by HIPAA-covered entities.

State public records law was updated in June last year, although the records have only just been made public. Consumer Affairs Undersecretary John Chapman issued a statement on January 3 explaining the move: “The Data Breach Notification Archive is a public record that the public and media have every right to view.” He went on to say, “Making it easily accessible by putting it online is not only in keeping with the guidelines suggested in the new Public Records law, but also with Governor Baker’s commitment to greater transparency throughout the Executive Office.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.