Mass. Gen. Laws 93H 1 et seq.

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 2 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> In Lesson 10.5,
00:00
we're going to continue our review of
00:00
several US state-level data breach notification laws.
00:00
In Lesson 10.5,
00:00
we're going to look at Massachusetts
00:00
data breach notification law.
00:00
We have several learning objectives.
00:00
We're going to look at how
00:00
this law defines personal information.
00:00
Of course, we're going to talk about
00:00
those entities that have to comply with this law.
00:00
We're going to look at its definition of a breach.
00:00
We're going to talk about whether there is
00:00
a requirement for an analysis of risk of harm.
00:00
We're going to talk about if a safe harbor exists for
00:00
any encrypted personal information, or
00:00
information that's been unreadable,
00:00
unusable, or redacted.
00:00
We're going to talk about, and
00:00
look at the requirements for
00:00
notifications to affected individuals, and regulators.
00:00
Then we're going to talk about enforcement,
00:00
private cause of action,
00:00
a right to sue, and then any
00:00
penalties incurred for a non-compliance.
00:00
Let's delve into this law.
00:00
Now, we've looked at three laws up to
00:00
this point in this module.
00:00
Just like the other laws,
00:00
if you're licensed to operate, or if you own, or
00:00
license resident's information within
00:00
the state of resident information,
00:00
and in this case personal information,
00:00
then you're going to have to comply with
00:00
Massachusetts data breach notification law.
00:00
How does it define personal information?
00:00
That's a Massachusetts resident's first name,
00:00
last name, or first initial,
00:00
and combination of one of the
00:00
following or more of the following identifiers,
00:00
much like we saw under California,
00:00
Texas', and New York's law.
00:00
That's information that relates
00:00
to that Massachusetts residents
00:00
such as his, or her social
00:00
security number, driver's license,
00:00
or some other type of
00:00
state-issued identification card number,
00:00
or any financial accounting information,
00:00
credit card, or debit card information,
00:00
and in this case,
00:00
this is where it differs from the three previous laws,
00:00
with, or without any security code,
00:00
or security access information,
00:00
PIN, or password that would allow
00:00
someone to access that resident's financial account.
00:00
How does this law define a breach?
00:00
In this case, it's the unauthorized acquisition,
00:00
unauthorized use of unencrypted data,
00:00
and in this case, encrypted data that
00:00
whose keys, or algorithms have been compromised.
00:00
They also add it,
00:00
unlike the other laws,
00:00
that if it exists a chance that, it places
00:00
those Massachusetts residents at
00:00
substantial risk of identity, theft, or fraud.
00:00
Now, unlike the other laws we talked about,
00:00
for the Massachusetts law,
00:00
it is data in any form;
00:00
whether it's written, drawn,
00:00
spoken, visual, electromagnetic information,
00:00
or images that are recorded or
00:00
preserved regardless of physical form,
00:00
>> or characteristics,
00:00
>> which differs from the previous three laws.
00:00
Now, the Massachusetts law states that,
00:00
"An analysis of a risk of harm that
00:00
results in that no breach has occurred,
00:00
then there is no requirement to give notification to
00:00
affected Massachusetts residents, or to
00:00
of those regular state
00:00
regulatory, and law enforcement entities."
00:00
Just like we saw in the case of the first three laws,
00:00
there is a safe harbor provision that
00:00
states that "Under certain circumstances,
00:00
any information that's encrypted,
00:00
and readable, and usable, or redacted,
00:00
then there is a safe harbor in place for
00:00
notification, or lack of
00:00
notification of that type of data."
00:00
Now, what the Massachusetts law says as it
00:00
applies in notification to Massachusetts residents
00:00
saying that covered entities
00:00
must comply with this law have to notify
00:00
those Massachusetts residents should a breach
00:00
occur soon as practicable,
00:00
>> or without unreasonable delay.
00:00
>> Now, again, we do have
00:00
a law enforcement delay provision
00:00
here in the event that law enforcement
00:00
requests that the business, or person
00:00
delay the notification because
00:00
of an ongoing criminal investigation.
00:00
Now, what this law says it
00:00
varies or differs from the three preceding laws,
00:00
it says that those covered entities can't delay
00:00
their notifications based on the fact
00:00
that the total number of residents
00:00
affected is not ascertained.
00:00
What does that mean in layman speak?
00:00
It means that you're going to have
00:00
a rolling notification, and so as you
00:00
identify more people impacted by this data breach,
00:00
then again, you're going to have to notify them also.
00:00
You're still going to have to provide
00:00
that additional notice as soon
00:00
as practicable or without unreasonable delay.
00:00
When we talked about notification to regulators,
00:00
then those covered entities also have to
00:00
notify the state attorney general as soon as
00:00
practicable or without unreasonable delay
00:00
if they suspect that there
00:00
has been an actual breach of personal information.
00:00
Now, if the information was acquired by
00:00
an unauthorized person,
00:00
>> or used by unauthorized purposes,
00:00
>> they also have to notify the Director of
00:00
Consumer Affairs and Business
00:00
Regulation as well as the attorney general.
00:00
Now, if there's a breach of
00:00
an individual's social security number,
00:00
these covered entities also have to file
00:00
a report with
00:00
the state attorney general and the Director of
00:00
Consumer Affairs and Business Regulation
00:00
>> certifying that
00:00
>> the credit monitoring service that they're
00:00
>> going to offer
00:00
>> to these affected residents is compliant
00:00
>> with state law.
00:00
>> As the Director of
00:00
Consumer Affairs and Business
00:00
Regulation that's going to work
00:00
with the person or
00:00
the business that has to comply with
00:00
this law to ensure that
00:00
they provide their appropriate notice to
00:00
these consumer reporting agencies
00:00
as required under this law.
00:00
There is the enforcement responsibilities of
00:00
the Massachusetts State Attorney
00:00
that's going to enforce this law
00:00
under the provisions of
00:00
Chapter 93A that's unfair trade practices
00:00
against someone and also they can bring
00:00
civil actions to remedy any violations of this law.
00:00
Now, if we're talking about
00:00
a Massachusetts resident's social security information,
00:00
and it has been disclosed,
00:00
then the individual or
00:00
the business that experience a breach also
00:00
has to offer credit monitoring services to
00:00
those Massachusetts residents affected by
00:00
the breach at no cost for at least 18 months.
00:00
Now, if it is a consumer reporting agency
00:00
that's responsible for the breach,
00:00
then they must do so for 42 months.
00:00
Those covered entities that have to comply with
00:00
this law can't prohibit
00:00
those individuals to waive their rights to assuming as
00:00
a condition of receiving credit monitoring services.
00:00
Question 1 asks, "How does this
00:00
Massachusetts data breach notification law
00:00
define personal information?"
00:00
The appropriate answer is A.
00:00
Question 2 asks,
00:00
"Massachusetts law requires covered entities
00:00
to provide credit monitoring services when
00:00
a data breach involves social security numbers
00:00
of Massachusetts residents for how long?"
00:00
The appropriate answers are A and B.
00:00
Now, in summary, we looked at the Massachusetts law
00:00
in comparison with the California, Texas,
00:00
and New York data breach notification laws,
00:00
we did see some similarities
00:00
>> in the manner in which they
00:00
>> define personal information, those identifiers.
00:00
We saw that, again,
00:00
it define a data breach in a way that was
00:00
pretty similar to that of the first three laws.
00:00
Really looking at unencrypted data and
00:00
unauthorized access acquisition
00:00
of that personal information.
00:00
But in this case,
00:00
what the Massachusetts law said that it didn't matter
00:00
what format that the disclosed information was in,
00:00
is still required notification
00:00
when required under this law.
00:00
It did have a provision for a safe harbor as it applied
00:00
to encrypted information that had been
00:00
disclosed and its notification requirements.
00:00
What differs here is that when we look at
00:00
an analysis of risk of
00:00
harm requirement, then in this case,
00:00
once you do that risk analysis,
00:00
if you determine that a breach had not occurred then
00:00
you don't have any notification requirements.
00:00
We also said that you have to give notice to
00:00
affected individuals and to the state attorney general,
00:00
and to the Director of Consumer Affairs and
00:00
Business without undue delay or unreasonable delay.
00:00
It also have requirements to when you had to
00:00
notify recorded credit reporting agencies.