Datalyst Blog
What You Need to Do After a Breach, According to the Data Breach Notification Law
Data breaches are serious threats, particularly for businesses here in Massachusetts, where we have things like the Data Breach Notification Law to contend with. In the interest of keeping your business on the right side of the law, let’s review what this law requires of you.
Let’s start by referring to the official Commonwealth of Massachusetts website—just remember, this in no way should be considered legal advice, just our professional recommendations.
What Does the Data Breach Notification Law Require?
According to mass.gov:
“The Data Breach Notification Law requires businesses and others that own or license personal information of residents of Massachusetts to notify the Office of Consumer Affairs and Business Regulation and the Office of Attorney General when they know or have reason to know of a breach of security. They must also provide notice if they know or have reason to know that the personal information of a Massachusetts resident was acquired or used by an unauthorized person, or used for an unauthorized purpose. In addition to providing notice to government agencies, you must also notify the consumers whose information is at risk.”
Let’s go through this summary piece by piece, to really explain what the law as a whole is saying.
“The Data Breach Notification Law requires businesses and others that own or license personal information of residents of Massachusetts to notify the Office of Consumer Affairs and Business Regulation and the Office of Attorney General when they know or have reason to know of a breach of security.”
What’s the Definition of a Security Breach?
Technically speaking, a security breach and a data breach aren’t the same thing, but in the context of this law, it’s really a difference of severity. As we would define it, a security breach is what you call someone getting past your network’s defenses, while a data breach is what you call someone gaining access to your company’s data. Despite being known as the Data Breach Notification Law, this suggests that businesses are expected to report all breaches.
What is Considered “Personal Information?”
“Personal information” is defined by the Data Breach Notification Law as a state resident’s first and last name (or their first initial and last name), in conjunction with their Social Security number, their driver’s license number or state-issued identification number, or a financial account or credit/debit card number (with or without an access code, security code, password, or PIN). Publicly-available information, like addresses or birthdays, however, does not fall under this umbrella.
Important Detail: This Law Reaches Beyond Just Massachusetts
The fact that this law specifies “businesses and others that own or license personal information of residents of Massachuesetts,” with no mention of where the referenced businesses and others are located tells us that this law applies everywhere—it’s the fact that the original owner of the data resides in Massachusetts that matters.
“They must also provide notice if they know or have reason to know that the personal information of a Massachusetts resident was acquired or used by an unauthorized person, or used for an unauthorized purpose.”
You Can’t Try to Keep a Breach a Secret
According to Mass.gov, any business is required to report a breach to both the Office of Consumer Affairs and Business Regulation and the Attorney General’s Office after the discovery of the breach or knowledge that personal information has been obtained—and that these reports must be submitted after a “reasonable amount of time.”
What Needs to be Included in These Reports?
The notification that is brought to the attention of the aforementioned entities need to include an assortment of details. These details are as follows:
- How and why the security breach and acquisition/use of data occurred, outlined in detail.
- How many Massachusetts residents have been affected, as of the time of notification.
- What steps have been taken to remedy the incident, as well as pending steps.
- Whether or not law enforcement is involved in the investigation.
This needs to take place whether your organization was directly responsible for the breach, or if a vendor or business associate is ultimately responsible.
We Can Help You Manage Your Notifications, or Even Better, Help Prevent a Breach in the First Place
Reach out to Datalyst to learn more about the cyber and data security services we offer. Give us a call at (774) 213-9701. This is definitely something that all New England businesses should be proactive about.
Comments