Are You Having A Technology Emergency?

Datalyst Blog

Datalyst has been serving the Massachusetts area since 2010, providing IT Support such as technical helpdesk support, computer support and consulting to small and medium-sized businesses.

What You Need to Do After a Breach, According to the Data Breach Notification Law

What You Need to Do After a Breach, According to the Data Breach Notification Law

Data breaches are serious threats, particularly for businesses here in Massachusetts, where we have things like the Data Breach Notification Law to contend with. In the interest of keeping your business on the right side of the law, let’s review what this law requires of you.

Let’s start by referring to the official Commonwealth of Massachusetts website—just remember, this in no way should be considered legal advice, just our professional recommendations.

What Does the Data Breach Notification Law Require?

According to mass.gov:

“The Data Breach Notification Law requires businesses and others that own or license personal information of residents of Massachusetts to notify the Office of Consumer Affairs and Business Regulation and the Office of Attorney General when they know or have reason to know of a breach of security. They must also provide notice if they know or have reason to know that the personal information of a Massachusetts resident was acquired or used by an unauthorized person, or used for an unauthorized purpose. In addition to providing notice to government agencies, you must also notify the consumers whose information is at risk.”

Let’s go through this summary piece by piece, to really explain what the law as a whole is saying.

“The Data Breach Notification Law requires businesses and others that own or license personal information of residents of Massachusetts to notify the Office of Consumer Affairs and Business Regulation and the Office of Attorney General when they know or have reason to know of a breach of security.”

What’s the Definition of a Security Breach?

Technically speaking, a security breach and a data breach aren’t the same thing, but in the context of this law, it’s really a difference of severity. As we would define it, a security breach is what you call someone getting past your network’s defenses, while a data breach is what you call someone gaining access to your company’s data. Despite being known as the Data Breach Notification Law, this suggests that businesses are expected to report all breaches.

What is Considered “Personal Information?”

“Personal information” is defined by the Data Breach Notification Law as a state resident’s first and last name (or their first initial and last name), in conjunction with their Social Security number, their driver’s license number or state-issued identification number, or a financial account or credit/debit card number (with or without an access code, security code, password, or PIN). Publicly-available information, like addresses or birthdays, however, does not fall under this umbrella.

Important Detail: This Law Reaches Beyond Just Massachusetts

The fact that this law specifies “businesses and others that own or license personal information of residents of Massachuesetts,” with no mention of where the referenced businesses and others are located tells us that this law applies everywhere—it’s the fact that the original owner of the data resides in Massachusetts that matters.

“They must also provide notice if they know or have reason to know that the personal information of a Massachusetts resident was acquired or used by an unauthorized person, or used for an unauthorized purpose.”

You Can’t Try to Keep a Breach a Secret

According to Mass.gov, any business is required to report a breach to both the Office of Consumer Affairs and Business Regulation and the Attorney General’s Office after the discovery of the breach or knowledge that personal information has been obtained—and that these reports must be submitted after a “reasonable amount of time.”

What Needs to be Included in These Reports?

The notification that is brought to the attention of the aforementioned entities need to include an assortment of details. These details are as follows:

  • How and why the security breach and acquisition/use of data occurred, outlined in detail.
  • How many Massachusetts residents have been affected, as of the time of notification.
  • What steps have been taken to remedy the incident, as well as pending steps.
  • Whether or not law enforcement is involved in the investigation.

This needs to take place whether your organization was directly responsible for the breach, or if a vendor or business associate is ultimately responsible.

We Can Help You Manage Your Notifications, or Even Better, Help Prevent a Breach in the First Place

Reach out to Datalyst to learn more about the cyber and data security services we offer. Give us a call at (774) 213-9701. This is definitely something that all New England businesses should be proactive about.

Choosing the Right IT Provider in Boston
How Schofield’s Laws of Computing Can Benefit Your...
Comment for this post has been locked by admin.
 

Comments

No comments made yet. Be the first to submit a comment
Guest
Already Registered? Login Here
Guest
Saturday, November 23 2024

Captcha Image

Contact Us

Learn more about what Datalyst can do for your business.

Call Us Today
Call us today
(774) 213-9701

10 Riverside Drive
Suite 106

Lakeville, Massachusetts 02347

The United States Patent and Trademark Office reference number: 5,341,888

Latest Blog

Businesses of every size need to prioritize their security. This fact has not changed and will not change anytime soon. What has changed, however, are the recommended ways to approach this security. Today, we wanted to review the history of...
 

Best IT Managed Service Providers in Providence

TOP