What is a Data Breach?
What is Data?
Answering this question first requires knowledge of how Massachusetts regulations define data. In, M.G.L. Chapter 93H, data is “any material upon which written, drawn, spoken, visual or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.” So, if you run or own a business in Massachusetts that collects information through an online intake form, through an in-house database, on the phone or on paper, you or your business may be liable for any breach involving that data, particularly if you do not report the breach.
Reporting the Data Breach
Massachusetts businesses or individuals under M.G.L. Chapter 94H, section 3, must report the data breach to the individual whose data was breached if that business does not own or license the data. If the business owns or licenses the data that was breached, the business must report the breach not only to the individual whose data was breached but also to the director of consumer affairs and business regulation and to the attorney general. A failure on the part of the business to follow this law could result in serious liability.
The Breach Itself
A data breach is the unauthorized access and use of electronic data that creates a “substantial risk of identity theft or fraud against a resident of the commonwealth.” Id. A data breach where the personal information was accessed in good faith, but unauthorized, for example, where a vendor believes they have the authority to review a businesses client list and does not (but no negative consequences result), may not result in liability to the business involved.
What Responsibilities Does My Business Have to Protect Data?
M.G.L. Chapter 93H provides the authority to the Office of Consumer Affairs and Business Regulation which has developed a set of standards under 201 CMR 17.00 aimed at defining the responsibilities of a business or individual that deals with personal information of Massachusetts residents. Under 201 CMR 17.00, businesses must do three things:
- Make sure that personal information is secure and confidential as per industry standards
- Protect residents against threats/hazards to security of such information
- Protect against unauthorized access or use that might result in substantial harm (or even substantial inconvenience) to a consumer
What is Personal Information?
If your business collects the first and last name or first initial and last name along with either a social security number, driver’s license or other state identification number, bank or other financial account number, credit card or debt card number you are collecting personal information under the definition of the aforementioned law and regulations. Most importantly, if you do collect personal information and this information could in any way be breached or accessed then you have an affirmative duty to protect that information.
The table below informs you as to precisely what combination of items are considered personal information collected by a business in Massachusetts:
First Name and Last Name OR First Initial and Last Name | AND ANY ONE OF THE FOLLOWING… | Social Security # Driver’s License # State Id # Financial Account # Credit Card # Debit Card # |
How Do I Protect My Massachusetts Business?
Your Massachusetts business must have a written information security program (WISP) as well as an individual that is named by the organization responsible for ensuring implementation and compliance with the WISP. Failure to provide a WISP for your Massachusetts business can result in an attorney general investigation complete with sanctions or worse. Since the purpose of the WISP is to encourage Massachusetts businesses to develop protocols aimed at protecting data from identity theft, a failure to develop a WISP policy and implement that policy is likely going to result in severe penalties issued by the state should a breach result in harm to a Massachusetts resident.
Develop a WISP policy for your business first by understanding the anatomy of a WISP and then enlist our offices to help you structure that WISP to remain in compliance with MGL Chapter 93H and 201 CMR 17.00.
DISCLAIMER:
The information provided in the pages and posts of this website are for general informational purposes only. The information presented on this site is not legal advice, and no attorney-client relationship is formed by the use of this site.