Data Violations to be Publicly Listed Online in Massachusetts


Massachusetts Attorney General Maura Healey has revealed the introduction launch of a new Internet-based data breach reporting application. The focus is to allow  for breached organizations to file breach notifications to the Attorney General’s office as simply as possible.

As per Massachusetts data breach notification legislation (M.G.L. c. 93H), organizations experiencing a violation of personal information must file a notification to the Massachusetts attorney general’s office as soon as possible to do so and without unneeded delays. Breaches must also be submitted to the Director of the Office of Consumer Affairs and Business Regulation (OCABR) and alerts must be issued to affected people.

“Data breaches are damaging, costly and put Massachusetts residents at risk of identity theft and financial fraud – so it’s vital that businesses come forward quickly after a breach to inform consumers and law enforcement,” statedd Healey. “This new feature allows businesses to more efficiently report data violations so we can take action and share information with the public.”

In relation to the latter, the Mass. Attorney general’s office will soon be publishing a database on its website that will permit the public to overlook a summary of data breaches affecting state citizens, similar to the breach portal controlled by the Department of Health and Human Services’ Office for Civil Rights (OCR). The Massachusetts Attorney General’s “Wall of Shame” will list the groups that have been hit by data breaches, the date the breaches are believed to have happened, and the number of state residents that are thought to have been impacted.

The new Internet-based portal and breach listings are part of the state’s commitment to ensure state citizens are quickly notified about data breaches to allow them to take swift action to mitigate danger.

Massachusetts is also dedicated to holding businesses responsible when security breaches occur which could easily have been avoided.

In 2017, following alerts of a breach by Equifax, Attorney General Healey submitted an enforcement action against the credit monitoring company seeking civil fines, disgorgement of profits, restitution, costs, and attorneys’ fees along with injunctive relief to cut out harm to state residents. Massachusetts was the first state to kick off such an enforcement action against the group.

When this happened, Healey commented, “We are suing because Equifax needs to pay for its mistakes, make our residents whole, and fix the problem so it never happens again.”

Massachusetts is also one of a small number of states that has used the right to pursue financial penalties when healthcare groups breach HIPAA Rules and expose patients’ health data. The state will persist in punishing firms that do not address flaws and do not put in place reasonable security measure to keep the personal information of state residents safe.