The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has published an online list of data breach notifications issued each year to Massachusetts residents since 2007, the inception of the Commonwealth’s data breach notification law. The list identifies the entity that was breached; the number of Massachusetts residents affected; whether the breach was of electronic or paper records; whether social security, drivers’ license, credit, or debit card numbers were accessed; whether the data was encrypted; whether a mobile device was lost or stolen; and whether credit monitoring or other relief was offered to the individuals affected.
These lists are being published in response to a new Massachusetts state law requiring state government to make certain records available online for residents, including “information of significant interest” on the Internet. Previously, breach notification information from Massachusetts could only be obtained through a public records request.
Under Massachusetts law, OCABR and the State Attorney General, as well as affected Massachusetts individuals are notified of the occurrence of a data breach. Notably, Massachusetts law, requires that the breach notice sent to Massachusetts residents not include a description of the nature of or specify the number of individuals affected. Unless the information is published by state regulators or by the media, affected individuals frequently don’t learn the details of a breach or how many other residents were affected by a breach. This new list will allow residents to learn more information about the scope of a breach, although not until the list for the applicable year is published.