19 August, 2020

What is the Massachusetts Data Breach Notification law?

Does your business manage the personal data of Massachusetts residents? If so, you’re subject to the Massachusetts Data Breach Notification Law, which we explored in detail during a recent webinar.

Does your business manage the personal data of Massachusetts residents? If so, you’re subject to the Massachusetts Data Breach Notification Law, which we explored in detail during a recent webinar.

The Massachusetts Data Breach Notification Law took effect last year. It ups the game for businesses that manage the personal data of Massachusetts residents. The law requires these businesses to:

1. Notify Massachusetts residents about a data breach (or a potential data breach)

In the event of a data breach or possible data breach, businesses that own or license the personal information of Massachusetts residents must notify:

  • The state’s Office of Consumer Affairs and Business Regulation and the Office of Attorney General
  • Affected stakeholders
  • Any consumers whose personal information may be at risk

Ultimately, the Massachusetts Data Breach Notification Law encourages businesses to protect the personal data of state residents in any way possible. The benefits of doing so are twofold. Firstly, companies that safeguard Massachusetts residents’ data against cyber attacks can avoid the potential revenue losses and brand reputation damage associated with a data breach (or a possible data breach). Secondly, these businesses can comply with the Massachusetts Data Breach Notification Law. Therefore, avoiding further revenue losses and brand reputation damage due to non-compliance penalties.

2. Develop and implement a comprehensive written information security program (WISP)

The State of Massachusetts requires businesses to create, implement, and maintain a comprehensive WISP. Or in the event of a data breach, a company must develop or review a risk-based WISP. In either scenario, a complete WISP must account for:

  • Business size
  • Nature of the business
  • Amount of resources available to a business
  • Records that a company maintains
  • Businesses’ need for security

The State of Massachusetts offers a checklist that your business can use to ensure its WISP complies with state requirements. Of course, if your business handles the personal data of Massachusetts residents, it still needs to plan for cyber attacks. This is regardless of whether it has already developed and implemented a comprehensive WISP. By working with expert cybersecurity services and solutions providers like Tech Superpowers (TSP), any business can create a WISP that complies with the Massachusetts Data Breach Notification Law and minimizes the risk of data breaches.

At TSP, we take the time to learn about the new state, federal, and international data security laws. We help businesses analyze their systems and data and determine which data security laws apply to them. Next, we enable companies to implement risk-based programs to comply with data security laws and limit the risk of data breaches. That way, your business can follow the letter of the law and keep its systems and data safe against cyber attacks.

3. Send a notification letter to Massachusetts consumers affected by a data breach

If your business experiences a data breach, you must notify affected consumers even if the number of state residents impacted by the incident has not yet been determined. The data breach notifications must be sent or updated on a rolling and continuous basis. They must be posted on the Massachusetts Office of Consumer Affairs and Business Regulation’s website.

The State of Massachusetts requires a data breach notice sent to affected consumers to include the following:

  • A detailed description of the nature and circumstances of the data breach
  • Number of Massachusetts residents affected as of the notice date
  • Steps were taken to resolve the data breach
  • Any additional steps that will be taken to resolve the data breach
  • Information about:
    • Whether law enforcement officials are investigating the data breach
    • A consumer’s right to obtain a police report
    • How to request a security freeze at no charge
    • Complimentary credit monitoring services
    • Name of the parent organization and subsidiary organizations affected by the data breach

A data breach notification is a message that no business wants to send to its customers. Thankfully, TSP helps companies to avoid data breaches — and the embarrassment that goes along with notifying customers.

Tech Superpowers provides expert insights into cybersecurity preparedness. We help businesses find the right cybersecurity services and solutions to keep pace with all types of cyber threats — from ransomware to botnets to phishing scams to viruses. Plus, we provide cybersecurity training and tutorials to ensure that businesses can teach their employees how to combat cyber attacks proactively. Want more information on how it all works? Start a conversation with us today!

 

You might like this too.