Enhance your TRUST relationship with PRIVACY and SECURITY. Privacy Made Simple!

   +1 866 267 0049   830 NE Pop Tilton Place, Jensen Beach, FL 34957

Massachusetts
Privacy Laws

Overview

BREACH NOTIFICATION – Mandated Timeframe
Without unreasonable delay

FINES & PENALTIES – Violations
Up to $5,000 per violation

Legal

Regulation Levels

  • Breach Reporting

    Breach Reporting

  • Consumer Notification

    Consumer Notification

  • Vendor Management

    Vendor Management

  • Vendor Contract Required

    Vendor Contract Required

PRIVACY AND SECURITY LAWS

Laws related to personal information and privacy and security.

QUICK FACTS

Massachusetts Privacy Law Information

PRIVACY PROGRAM

Due to the extensive data protection requirements, Organizations should also be prepared to demonstrate data protection compliance. Minimum safeguard standards are required of Organizations, including a written information security program for the protection and security of personal information. Organizations must contract with Vendors to require that Vendors maintain appropriate safeguards to protect the personal information of the Organization.

BREACH REPORTING

Breach reporting must be made as soon as practicable and without unreasonable delay to the Attorney General and the Director of Consumer Affairs and Business Regulation. Additional reporting may be required to the consumer reporting agencies and state agencies identified by the Director of Consumer Affairs and Business Regulation. The Organization will be responsible to complete any required regulatory reporting and consumer notification. Vendors must notify Organizations without unreasonable delay after discovery of a breach or suspected breach. In addition, Vendors must cooperate with Organizations to provide all necessary information regarding a breach and any remediation taken relating to an incident.

CONSUMER NOTIFICATION

Consumer notification must be given without delay, even if all affected consumers have not yet been determined. Follow-up notification is required once additional information becomes available. Specific information must be included in the regulatory reporting and consumer notification. Businesses whose breach includes a social security number must offer credit monitoring service at no cost to each resident whose social security number was compromised or believed to be compromised, for at least 18 months (or 42 months if the company is a consumer reporting agency). The Organization will be responsible to complete any required regulatory reporting and consumer notification.

INDUSTRY SPECIFIC LAWS

Separate laws govern specific industries, including insurance, financial, and student data.

VENDOR/THIRD PARTIES

Vendors must maintain appropriate safeguards consistent with mandated requirements of Organizations, including, but not limited to, risk assessment, employee training, security policies, and internal disciplinary measures for violations. Disposal Vendors must be contracted. Disposal Vendors must implement and comply with policies and procedures to safeguard personal information from unauthorized access or acquisition during collection, transportation and disposal.

FINES & PENALTIES

Organizations may be fined or penalized for Vendor violations. For violations of the breach notification requirements, the Attorney General may bring action with fines up to $5,000, and up to $10,000 for continued violations. For violations of data disposal laws, a civil fine up to $100 per data subject affected, up to $50,000, can be assessed for each instance of improper disposal.

Massachusetts Statutes and Laws

201 CMR §§ 17.00 – 17.05

Standards for the Protection of Personal Information of MA Residents

603 CMR 23.00

Student records

MASS. GEN. LAWS CH. 71

Public schools

MASS. GEN. LAWS CH. 93H § 1

Definitions

MASS. GEN. LAWS CH. 93H § 2

Regulations to safeguard personal information of commonwealth residents

MASS. GEN. LAWS CH. 93H § 3

Duty to report known security breach or unauthorized use of personal information

MASS. GEN. LAWS CH. 93H § 3A

Breaches of security including social security numbers; offer of credit monitoring services required

MASS. GEN. LAWS CH. 93H § 4

Delay in notice when notice would impede criminal investigation; cooperation with law enforcement

MASS. GEN. LAWS CH. 93H § 5

Applicability of other state and federal laws

MASS. GEN. LAWS CH. 93H § 6

Additional duties of attorney general

MASS. GEN. LAWS CH. 93I

Dispositions and destruction of records

MASS. GEN. LAWS CH. 93I § 1

Definitions

MASS. GEN. LAWS CH. 93I § 2

Standards of disposal of records containing personal information; disposal by third party; enforcement

MASS. GEN. LAWS CH. 93I § 3

Enforcement

MASS. GEN. LAWS CH. 111

Public health

MASS. GEN. LAWS CH. 167

Supervision of banks

MASS. GEN. LAWS CH. 167A

Bank holding companies

MASS. GEN. LAWS CH. 175I

Insurance information and privacy protection

DISCLAIMER

The information provided is not legal guidance or recommendations and are for informational purposes only.