BOSTON (Legal Newsline) – Massachusetts-based victims of data breaches now have a new way to find out about how their personal information and data has been affected, thanks to a new archive published by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR).
In January 2016 the OCABR published a list of every data breach that has affected Massachusetts residents since 2007, going back to when the commonwealth's M.G.L. c. 93(H) data breach and security notification law went into effect.
“The Massachusetts data breach security and notification law requires entities to notify the OCABR, the state attorney general and the individuals affected if there is any unauthorized use of data or if they know if that personal information was used or acquired for an unauthorized purpose,” Kathleen Porter, partner at Robinson and Cole, told Legal Newsline.
“Personal information for these purposes includes first names, last names, financial account information, bank account information, debit account information and Social Security numbers. But, previously the notifications only included a letter letting the target know they had been breached. The new archive goes into much more detail.”
Thanks to recent changes in Massachusetts transparency laws, the OCABR now archives every recorded data breach that has taken place in the commonwealth over the last 10 years. It includes notes for the entity that was breached, the number of Massachusetts residents affected, whether the breach was of electronic or paper records, identifies whether Social Security, driver’s license, credit or debit card numbers were accessed, whether the data was encrypted, whether a mobile device was lost or stolen, and whether credit monitoring or other relief was offered to the individuals affected.
“The change to the law meant that there was a decision to make as much of the situation as transparent as possible as part of a broader push to have state agencies publish more information about their activities,” Porter said. “The OCABR put together this archive, although it isn't really a searchable database; rather it's more of a PDF document with each intrusion listed.”
According to Porter, there are a small number of states with similar laws that require notification in case of a data breach, but they are by far a minority.
“But one thing that is interesting is the letter the OCABR sends is itself is very different from what you get from lot of different states,” Porter said. “In Massachusetts, you can't really state how many people were affected by the breach (and) you can't spell out the details. So this posting does include the number of people who were affected, so it does add some additional pieces of information.”
Looking toward the future, Porter said that publication of the data breach archive could represent a trend that makes it easier for legal teams to file class action litigation against entities that are liable for the loss of personal or private data. The new archive will greatly expand on the available information and could make it much easier to find the information necessary to file those lawsuits.