Massachusetts Attorney General Maura Healey has unveiled a new, “easier and more efficient” way to notify her office of data breaches. The Massachusetts Attorney General’s Office has created an online portal and web form for submitting data breach notifications. An email announcing the changes was transmitted this week to attorneys who have previously filed data breach notices on behalf of clients. The email requested our “assistance in passing the message along,” which we are hereby doing.
Attorney General Healey stated, “This new feature allows businesses to more efficiently report data breaches so we can take action and share information with the public.” The Attorney General Office’s website will soon include a publicly accessible database of data breaches reported to the Office. Other states, including California and Maryland, have similar public databases.
Under the Massachusetts Data Breach Notification Law, “a person or agency that owns or licenses data that includes personal information about a resident of the commonwealth, shall provide notice, as soon as practicable and without unreasonable delay, when such person or agency (1) knows or has reason to know of a breach of security or (2) when the person or agency knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose . . . .” Notice must be provided to: (1) the affected Massachusetts residents; (2) the Attorney General; and (3) the Office of Consumer Affairs and Business Regulation (OCABR). The Attorney General’s press release stresses that this notification obligation applies “any time personal information is accidentally or intentionally compromised.”
The use of the new notification portal is voluntary, so you can still send those letters to the Attorney General’s Office if you prefer. Sample letters to the Attorney General and to affected Massachusetts residents are available on the Attorney General’s website. The OCABR continues to have an online portal and notification form, as well as mailing option.
The Massachusetts Attorney General’s Office has made quick reporting of data breaches a priority. Although the state law does not set a firm deadline, the Attorney General’s Office views the statutory language – “as soon as practicable and without unreasonable delay” – to require notification in a shorter time period than a number of other states, which provide for notification within a set time period (i.e., 30, 45, 60 days).
A good illustration of Massachusetts’ approach can be found in its civil enforcement action against Equifax. The Massachusetts Attorney General’s complaint alleges that Equifax violated the Massachusetts Data Breach Notification Law by waiting six weeks from its discovery of the breach to make notifications.
This follows a general trend among state, federal and foreign regulators to require notification of data breaches very quickly after initial discovery of a problem. We expect that trend to continue as new laws and regulations continue to tighten the notification timeframes. It is therefore critical that every organization’s incident response plan sets forth each potentially applicable notification deadline and a game plan for meeting it.