DBN Statutes – Massachusetts

Data Breach Notification Statutes – Massachusetts

Last Updated: 02/28/2024

  • Applicable Statute: Mass. Gen. Laws ch. 93 H, §§ 1–6
  • Attorney General Notice Required : Yes – the Attorney General and Office of Consumer Affairs & Business Regulation if any resident is notified. The Director of Consumer Affairs and Business Regulation may provide the entity with names of additional consumer reporting agencies or state agencies which must also be notified.
    • Timing: Must be made as soon as practicable and without unreasonable delay. Notice should not be delayed because the total number of residents affected is not yet known.
    • Method: Online at https://www.mass.gov/service-details/reporting-data-breaches-to-the-attorney-generals-office
    • Content:
    • (i) the nature of the breach; (ii) the number of residents affected; (iii) the name and address of the entity reporting the breach and, if different, the name of the entity that experienced the breach and their relationship; (iv) the type of entity reporting the breach; (vi) the person responsible for the beach, if known; (vii) the type of the personal information compromised; (viii) whether the subject entity maintains a written information security program; and (ix) any steps the entity has taken relating to the incident. Notice must also include a sample copy of the notification sent to consumers.
  • Consumer Notice Requirements:
    • Timing: Must be made as soon as practicable and without unreasonable delay. Notice should not be delayed because the total number of residents affected is not yet known. Where necessary, updated or supplemental notice should be provided without unreasonable delay upon learning such additional information.
    • Content: The notice to the resident must include the consumer’s right to obtain a police report, how a consumer requests a security freeze from any consumer reporting agencies, and there shall be no charge for a security freeze. The notice must not include the nature of the breach or the number of residents affected. If the incident involved a Social Security number, credit monitoring services must be offered at no cost for a period of not less than 18 months. If the affected entity is a consumer reporting agency, the credit monitoring services must be offered for no less than 42 months.
    • If the subject entity is owned by another person or corporation, the notice must include the name of the parent or affiliated corporation.
    • Method: Written notice, or electronic notice if consistent with the provisions regarding electronic records and signatures detailed in E-SIGN and Mass. Gen. Laws ch. 110G. Substitute Notice available under certain circumstances.
  • Consumer Reporting Agency Obligations: Must notify relevant consumer reporting agencies as identified by the Director of Consumer Affairs and Business Regulation as soon as practicable and without unreasonable delay. Must include the nature of the breach, the number of residents affected, and any steps the entity has taken or plans to take relating to the incident.
Please Note: The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience; Klinedinst PC and its attorneys do not recommend or endorse the contents of the third-party sites. Readers of this website should contact an attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, Klinedinst PC or its attorneys. Content included on this site is subject to change and users should note the date of last update when reviewing such contents. The content is provided "as is;" no representations are made that the content is error-free. Klinedinst PC has offices in several US states but does not practice law where its attorneys are not licensed. While this website refers to the laws of all 50 states, Klinedinst PC does not practice law in a several such states and visitors of this website are put on notice that neither Klinedinst PC, nor its attorneys, are or will provide legal advice for states where its attorneys are not licensed.

Data Breach Notification Statutes

Practice Attorneys


Related Practice Areas



Subscribe to Privacy and Data Security Newsletter

* indicates required