Massachusetts Attorney General Announces New Online Tool for Data Breach Reporting

Massachusetts Attorney General Maura Healey recently launched a Data Breach Reporting Online Portal which will allow businesses to report data breaches online in lieu of sending hard copy notices. Massachusetts enacted a data breach notification law in 2007, which requires any entity that owns or licenses a consumer’s personal information to timely report data breaches to the Office of the Attorney General, the Office of Consumer Affairs and Business Regulations (OCABR), and all affected Massachusetts residents. Entities must disclose information regarding the nature of the breach, the number of affected residents, and any remedial action the entity has taken or plans to take.     

The new online portal is voluntary, and businesses can still submit hard copy notices to the attorney general’s office. Although businesses will still need to notify affected residents and OCABR of any breach separately, Massachusetts Attorney General Healey believes the electronic database will allow information to be shared more efficiently. The Massachusetts Attorney General’s Office also announced plans to roll out a publicly available database that will provide consumers with information about reported breaches. More than 21,000 breaches have been reported to the attorney general’s office since November 2007, when the office began handling such notices.

TIP: While the Massachusetts electronic breach reporting portal is optional, it is important to keep in mind that a growing number of states have specific forms, portals, and other requirements for notifying state regulators in the event of a breach.