First introduced in 2015 and signed into law in June 2016, an amendment to the Massachusetts Public Records Law (M.G.L. c.66) now makes the state’s Office of Consumer Affairs and Business Regulation (OCABR) online Data Breach Notification Archive available to the public.
The state justifies this amendment by underscoring its “commitment to greater transparency throughout the Executive Office” and improving communication with the public. This amendment comes with additional changes to the Public Records Law, which aim to reduce the cost and time it takes to request public records. A statement from the Governor of Massachusetts noted that protections of certain personal information would continue.
The Data Breach Notification Archive maintains the records of incidents in which the personal information of Massachusetts residents is compromised. Currently, the Massachusetts Data Security Law (M.G.L. c.93H) requires entities to provide notice to affected Massachusetts residents, the OCABR, and the Massachusetts Attorney General’s office when personal information is subject to unauthorized acquisition or unauthorized use, and such acquisition or use creates a substantial risk of identity theft or fraud. Upon receipt of such notification, the OCABR stores the information in the Data Breach Notification Archive. Previously, this Archive was closed to the public. With the amendment to the Public Records Law, this information is now available in PDF format, including the name of the reporting entity, the date of the report to the OCABR, the number of impacted residents, and the type of compromised personal information. Interestingly, this move seems to undercut the Massachusetts Data Security Law with respect to the required contents of notification letters. Currently, notifications sent to affected Massachusetts residents may not include information on the nature of the breach or the total number of affected residents. However, the notification sent to the OCABR specifically includes this information, and this information is now available to the public. For practical purposes, we may soon see an amendment to the Massachusetts Data Security Law, which removes the limits on information included in notification letters to affected individuals.
Massachusetts is currently an outlier among the states in prohibiting information concerning the nature of the breach in notifications to affected individuals, often requiring breached entities to use a separate Massachusetts form of notification letter to send to Massachusetts residents affected by a multi-state breach. If Massachusetts were to amend its data breach notification law to allow for disclosure of the nature of the breach to affected individuals, this could reduce the cost and complexity of coordinating multi-state breach notifications. Breached entities could use one multi-state notification form letter, rather than at least two forms, with one of those forms following Massachusetts law and omitting information concerning nature of the breach. Squaring the various notification requirements in a multi-state breach among the 47 states that currently have data-breach notification laws is one of the most complicated tasks a breached entity faces in breach response.
Personal information under the Massachusetts law is defined as a Massachusetts resident’s first and last name, or first initial and last name, in combination with that resident’s social security number, driver’s license number, state-issued identification card number, financial account number, or credit or debit card number. Massachusetts does not include health care information as part of its definition of personal information, although several states have updated their own data security laws to do so. Indeed, amendments to data security laws are introduced with great frequency and often mirror one another. For example, in 2016, Illinois updated its Personal Information Protection Act (815 ILCS 530/) to include health insurance and medical information. It also added two additional factors: unique biometric data, such as fingerprints, and user names or email addresses in conjunction with passwords or security questions and answers. Rhode Island has made similar changes to its data security law, the Rhode Island Identity Theft Protection Act, and New York State has recently introduced its own amendment, which would track the language of the newly amended Illinois law.