Massachusetts Online Breach Reporting Tool Launched: Data Breaches Soon to Be Publicly Listed

Massachusetts Attorney General Maura Healey has announced the launch of a new online data breach reporting tool. The aim is to make it as easy as possible for breached entities to submit breach notifications to the Attorney General’s office.

Under Massachusetts data breach notification law (M.G.L. c. 93H), organizations experiencing a breach of personal information must submit a notification to the Massachusetts attorney general’s office as soon as it is practicable to do so and without unnecessary delay. Breaches must also be reported to the Director of the Office of Consumer Affairs and Business Regulation (OCABR) and notifications must be issued to affected individuals.

“Data breaches are damaging, costly and put Massachusetts residents at risk of identity theft and financial fraud – so it’s vital that businesses come forward quickly after a breach to inform consumers and law enforcement,” said Healey. “This new feature allows businesses to more efficiently report data breaches so we can take action and share information with the public.”

Regarding the latter, the Mass. Attorney general’s office will soon be uploading a database to its website that will allow the public to view a summary of data breaches affecting state residents, similar to the breach portal maintained by the Department of Health and Human Services’ Office for Civil Rights. The Massachusetts Attorney General’s “Wall of Shame” will list the organizations that have experienced data breaches, the date the breaches are believed to have occurred, and the number of state residents that are believed to have been impacted.

The new online portal and breach listings are part of the state’s commitment to make sure state residents are promptly notified about data breaches to enable them to take rapid action to mitigate risk.

Massachusetts is also committed to holding businesses accountable when security breaches are experienced that could easily have been prevented.

Last year, following notification of a breach by Equifax, Attorney General Healey filed an enforcement action against the credit monitoring firm seeking civil penalties, disgorgement of profits, restitution, costs, and attorneys’ fees in addition to injunctive relief to prevent harm to state residents. Massachusetts was the first state to launch such an enforcement action against the firm.

At the time, Healey said, “We are suing because Equifax needs to pay for its mistakes, make our residents whole, and fix the problem so it never happens again.”

Massachusetts is also one of a handful of states that has exercised the right to pursue financial penalties when healthcare organizations violate HIPAA Rules and expose patients’ health information. The state will continue to punish firms that fail to address vulnerabilities and do not implement reasonable safeguards to keep the personal information of state residents secure.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.