On January 3, 2017, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) announced that it created a publicly available online Data Breach Notification Archive (the “Archive”), becoming one of only a handful of states in the nation which posts data breach information online for public consumption. The Archive was created in response to an update in Massachusetts’ Public Records law, which was signed by Governor Baker last June, and mandates the online placement of certain public records that an agency deems of “significant interest.” Notably, the information maintained by OCABR had previously only been available through public records requests sent directly to the agency. However, given the ever-growing number of reported data breaches, amount of affected consumers, and public concern about the protection of personally identifiable information, it is not surprising that the information contained in the Archive was deemed of “significant interest.” Nor will it be surprising if, in not-too-distant future, other states follow suit.
By way of context, the Massachusetts Data Security Law (M.G.L. c.93H) (the “Law”), enacted in 2007, requires businesses and others that own or license personal information of Massachusetts’ residents to notify affected residents, OCABR and the Office of the Massachusetts Attorney General when they know or have reason to know of a security breach, or that the personal information was acquired or used by an unauthorized person or used for an unauthorized purpose. Businesses should bear in mind that the information required in the notice varies depending on the recipient. Specifically, the Law prohibits the notice sent to Massachusetts residents from including “the nature of the breach or unauthorized acquisition or use or the number of residents of the commonwealth affected by said breach or unauthorized access or use.” However, the Law also mandates that such information be provided in the notice to OCABR and the Office of the Attorney General. So, with the introduction of the Archive, the information available to the public (without making a public records request) will be more in line with that available to state regulators (although the public will have to wait until the year end publishing of OCABR’s annual report).
OCABR has drafted an annual data breach report (called “Identity Theft Reports”) for each year since the Law was enacted, and all 10 reports are now available online. The reports set forth information on:
- the date the breach was reported;
- the type of breach;
- the number of Massachusetts residents affected;
- whether the breach involved social security numbers,
- whether the breach involved account numbers;
- whether the breach involved driver’s licenses;
- whether the breach involved credit card numbers; and
- whether credit monitoring was provided.
The posting of the Archive has a number of practical impacts that organizations should consider. For example, its posting could provide plaintiffs’ attorneys another avenue to scour for potential litigation targets. In addition, organizations face the prospect of damage to perhaps their most valuable asset: their reputation. Surveys consistently find that a majority of participants either would not, or are hesitant to, do business with a company that had faced a data breach involving credit or debit card information, and the Archive will make it harder for organizations who suffer breaches to limit adverse publicity concerning a breach, particularly if media organizations or consumer advocacy groups review and publicize the Archive’s information each year. Finally, the publication of the Archive should remind organizations of the importance of having a strong data security program, including a written information security plan, employee data security policy, technical safeguards and employee training. As Benjamin Franklin once said, an ounce of prevention is worth a pound of cure. In the world of data security, nothing could be truer.