Home > Legal Updates >

Massachusetts Identity Theft Law Creates Data Breach Notification, Protection and Destruction Requirements

Comprehensive identity theft legislation signed by Governor Deval Patrick makes Massachusetts the 39th state to protect residents by requiring that they be notified of an unauthorized access or use of their personal information. The law, approved on August 3, 2007, also includes requirements for requesting security freezes and data destruction, and directs a state agency to adopt regulations directed at safeguarding personal information. The data breach law is effective on February 3, 2008. (See also New York AG announces first settlement under NY's Information Security Breach and Notification Law and Texas Attorney General Files Data Security Suits For Claimed Flaws In Worker Information Practices).

Key Features of the Data Breach Law

• Who is covered: The law applies to persons or agencies that own or license personal information, as well as to persons or agencies that maintain or store personal information on behalf of others. This means that any individual, business or governmental agency that owns, licenses, maintains or stores personal information needs to be aware of the new law and prepared to respond in the event of a breach.
• What information is protected: Protected personal information includes the first name and last name or first initial and last name of a resident in combination with the resident's (i) social security number, (ii) driver's license number, (iii) state identification number, (iv) financial account, debit or credit card number in combination with or without any required security code, access code, or password that would permit access to a resident's account. Unlike most other state breach notification laws which are limited to personal information maintained electronically, the Bay State law protects data, including personal information, regardless of physical form or characteristics. This means that unauthorized access to or use of paper files containing personal information would trigger the notice requirement under this law.
• When notice is triggered: If personal information is lost or acquired by an unauthorized person or used for an unauthorized purpose, the law requires notice regardless of whether there is a likelihood of harm. This mandate goes beyond the requirements of many other state breach notice laws, which permit covered entities to avoid providing notice if a breach does not create a risk of harm.
• Who must be notified: Most state breach notice laws require the covered entity to notify only the resident(s) who are affected. In Massachusetts, in addition to the resident(s) affected, notice must be provided to the attorney general and the director of consumer affairs and business regulation. The director of consumer affairs and business regulation, in turn, may advise the covered entity of other entities to inform, such as relevant consumer reporting and state agencies.
• Content requirements for the notice: The Massachusetts law has different content requirements depending on the recipient of the notice. For example, the notice to the attorney general and the director of consumer affairs and business regulation must include the nature of the breach or unauthorized access or use, the number of residents affected, and what actions the covered entity is taking to address the incident. The notice to the resident, however, "shall not" include the nature of the breach or unauthorized access or use, or the number of residents affected, but must include other information, such as the right to obtain a police report.
• When notice must be provided: Like most other states, notice must be provided as soon as possible and without unreasonable delay. Massachusetts permits a delay where law enforcement determines notification would hinder a criminal investigation, provided that the law enforcement agency notifies the attorney general and the covered entity of that determination.
• Enforcement: The attorney general may bring an action against a business to remedy any violations.

Regulations to Adopt Safeguards to Protect Personal Information

In addition to its breach notification requirements, the Massachusetts law also directs the department of consumer affairs and business regulation to adopt regulations that would require individuals, business entities and governmental agencies to safeguard any personal information about a resident of the Commonwealth that the covered entity owns or licenses. More specifically, the regulations must be designed to protect against unauthorized access to or use of personal information that could result in substantial harm or inconvenience to any resident of Massachusetts.

Data Destruction Requirements

The law also requires individuals, businesses and governmental agencies to take certain steps when disposing of records containing personal information, whether in paper or electronic form.

Records containing personal information must be destroyed so that personal information "cannot practically be read or reconstructed." Entities are permitted to use third parties to destroy such records. The third parties must implement and monitor compliance with policies and procedures to prohibit unauthorized access to or use of personal information in the course of the collection, transportation or destruction of the information. Entities purchasing these services should obtain written assurances from the third party that it is in compliance.

Covered entities that improperly dispose of records may be fined $100 per individual affected, up to a maximum of $50,000 per event.

* * *

While this measure may be good news for Massachusetts residents, the law significantly increases businesses' exposure to civil actions by individuals and the Massachusetts attorney general with regard to the security of their business and employment records. Exposure to litigation and penalties is enhanced for those businesses with large numbers of employees and operations in Massachusetts and other states, especially in view of some of the unique features of the Massachusetts law, noted above.

This is a general summary of the new law. Jackson Lewis attorneys are available to answer inquiries regarding particulars of the new law and assist employers in achieving compliance with its requirements.