Massachusetts Issues First Annual Report On Data Breaches

The Massachusetts Consumer Affairs and Business Regulation office recently issued its first annual report on data breach notifications. The report is based on information taken from data breach notices filed by companies with the office. These notices are required under Massachusetts law, and have provided the office with extensive information about the nature of breaches of the past several years. Since this is the first report, it includes information for breaches going back to November 2007, shortly before a Massachusetts data security law went into effect. According to the report, between November 2007 and September 2011, the state received notice of more than 1,800 data breaches of personal information, which breaches impacted nearly 3.2 million Massachusetts residents. The majority of these breaches have been “malicious,” i.e., hackers attempting to break into a company’s system. The breach notices have come from all industries, including commercial, entertainment, financial services, health care, pharmaceutical and telecommunications, and state governments. According to the Consumer Affairs office, the data underscores the need to encrypt personal information that is placed on portable devices (like thumb drives or laptops), as well as the need to train employees.

TIP: All companies should review their data security practices to ensure compliance with applicable laws – like that in Massachusetts – as well as to reduce potential exposure in the event of an attempted malicious attack.  Measures include evaluating existing workplace policies for protecting data, encrypting information sent electronically, and training employees about the importance of protecting personal information.