Massachusetts recently became the 39th state to enact a data breach notification law. The law was approved by the governor on August 2, 2007.
There is a question regarding when the law becomes effective. Although many legal reviewers have indicated that the law becomes effective on February 3, 2008, the deferred effective date applies only to section 17, the provision that applies to the destruction of records. There is no specifically enumerated effective date for section 16, the section containing the requirements related to breach notification. Because there is no effective date for section 16, the default effective date for the section is October 31, 2007.
The law applies to any person, corporation, association, partnership, other legal entity or governmental organization that maintains or stores data that includes personal information about a Massachusetts resident. Personal information is defined as a resident’s first and last name, or first initial and last name in combination with any one or more of the following:
- Social Security number;
- driver's license number or state-issued identification card number; or
- financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
A security breach is defined as the “the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud.”
A person or agency that only stored or maintained the data must give notice to the owner or licensor of the data as soon as practicable and without unreasonable delay when the person or agency knows or has reason to know about the breach, or when the person or agency knows or has reason to know that the data was used by an unauthorized person or for an unauthorized purpose. The person or agency must also cooperate fully with the owner or licensor except that the agency or person does not have to divulge confidential business information or trade secrets.
A person or agency that owned or licensed the data must provide notice to the attorney general, the director of consumer affairs, and the resident. The director of consumer affairs must identify any relevant credit reporting or state agencies and forward to the notifying person or agency the names of the credit reporting and state agency. The person or agency must then provide notice to the consumer credit or state agency on behalf of the affected individuals.
The Massachusetts law contains similar exclusions that allow notice to be delayed if a law enforcement agency determines that complying with the notice requirements will impede a criminal investigation. The law enforcement agency must notify the attorney general in writing for this exemption to apply.
The Massachusetts attorney general may bring an action against a person or otherwise to remedy violations of this law, and for other relief that may be appropriate.
Because there are so many variants in the state breach notification laws, companies that have security incidents should work with experienced counsel to carefully review the data breach laws in the relevant states to determine whether notification is required under the circumstances.