Massachusetts Privacy Laws

Breach reporting must be made as soon as practicable and without unreasonable delay to the Attorney General and the Director of Consumer Affairs and Business Regulation. Additional reporting may be required to the consumer reporting agencies and state agencies identified by the Director of Consumer Affairs and Business Regulation. The Organization will be responsible to complete any required regulatory reporting and consumer notification. Vendors must notify Organizations without unreasonable delay after discovery of a breach or suspected breach. In addition, Vendors must cooperate with Organizations to provide all necessary information regarding a breach and any remediation taken relating to an incident

Consumer notification must be given without delay, even if all affected consumers have not yet been determined. Follow-up notification is required once additional information becomes available. Specific information must be included in the regulatory reporting and consumer notification. Businesses whose breach includes a social security number must offer credit monitoring service at no cost to each resident whose social security number was compromised or believed to be compromised, for at least 18 months (or 42 months if the company is a consumer reporting agency). The Organization will be responsible to complete any required regulatory reporting and consumer notification.

Separate laws govern specific industries, including insurance, financial, and student data.

Vendors must maintain appropriate safeguards consistent with mandated requirements of Organizations, including, but not limited to, risk assessment, employee training, security policies, and internal disciplinary measures for violations. Disposal Vendors must be contracted. Disposal Vendors must implement and comply with policies and procedures to safeguard personal information from unauthorized access or acquisition during collection, transportation and disposal.

Organizations may be fined or penalized for Vendor violations. For violations of the breach notification requirements, the Attorney General may bring action with fines up to $5,000, and up to $10,000 for continued violations. For violations of data disposal laws, a civil fine up to $100 per data subject affected, up to $50,000, can be assessed for each instance of improper disposal.