Massachusetts's security breach law covers individuals, employers, and government agencies that own, license, maintain, or store personal information (MA Gen. Laws Ch. 93H Sec. 1 et seq.).
Personal information. This law defines "personal information" as a person's first name or initial and last name in combination with his or her Social Security number; driver's license number or state identification (ID) number; or financial account, debit, or credit card number, with or without any required security code, access code, or password. The law protects personal information regardless of how it is stored. In other words, unauthorized access or use of both electronic and paper files containing personal information trigger the law's notice requirements.
Notice. The law's notice requirements are triggered when the employer knows or has reason to know that a breach has occurred or that an unauthorized person has acquired or used the data for an unauthorized purpose. Unlike the security breach laws of many states, it does not matter under Massachusetts law whether or not there is a likelihood of harm as a result of the breach. The mere occurrence of a breach triggers the law's notice requirements.
In addition to the resident(s) affected, notice must also be provided to the ...