On Jan. 3, 2017, the Massachusetts Office of Consumer Affairs and Business Regulation announced that it will begin making its data breach notification archive publicly available online. Previously, data breach notifications filed with the Massachusetts attorney general were only available through public records requests. The change was made pursuant to the June 2016 amendment to the Public Records Law, which, among other things, authorized individual agencies to post public record information of significant interest that agencies deem appropriate.
“The Data Breach Notification Archive is a public record that the public and media have every right to view,” said Consumer Affairs Undersecretary John Chapman. “Making it easily accessible by putting it online is not only in keeping with the guidelines suggested in the new Public Records Law, but also with Governor Baker’s commitment to greater transparency throughout the Executive Office.”
The Massachusetts data breach notification law, M.G.L.A. 98 H § 3, requires an organization to notify Massachusetts residents whose personal information has been compromised and to notify the Massachusetts attorney general. Unlike any other state breach notification law, however, the Massachusetts data breach notification law prohibits the notice to affected residents from including “the nature of the breach or unauthorized acquisition or use or number of residents of the commonwealth affected by said breach or unauthorized access or use.” In contrast, the notice to the Massachusetts attorney general must include “the nature of the breach of security or unauthorized acquisition or use, the number of residents of the commonwealth affected by such incident at the time of notification, and any steps the person or agency has taken or plans to take relating to the incident.” The Massachusetts attorney general also expects organizations to include a sample of the breach notification letters sent to Massachusetts residents.
California, Maryland, New Hampshire and Oregon are among the few states that currently post online the breach notifications provided to their respective attorney general. Numerous bloggers and media outlets monitor these websites to report on data breaches that otherwise haven’t been reported to the media. As such, organizations must prepare for greater public visibility of incidents – particularly smaller incidents that otherwise may not receive any public awareness beyond the letter recipients – now that all Massachusetts notifications will be posted online.