Ask Reggi Your Question Now
Can you summarize MGL Chapter 93H, Section 3?
SECURITY BREACHES > Duty to report known security breach or unauthorized use of personal information
Short Summary
This section of the Massachusetts General Law imposes a duty on persons or agencies that maintain or store personal information about residents of Massachusetts to report any known security breach or unauthorized use of such information. If a person or agency knows or has reason to know of a breach of security or unauthorized acquisition or use of personal information, they must provide notice to the owner or licensor of the data. Additionally, if a person or agency owns or licenses data that includes personal information, they must provide notice to the attorney general, the director of consumer affairs and business regulation, and the affected resident. The notice must include details about the breach or unauthorized use, the number of affected residents, the responsible person or agency, the type of personal information compromised, and any steps taken or planned to address the incident. The person or agency must also provide a sample copy of the notice to the attorney general and the office of consumer affairs and business regulation. The office of consumer affairs and business regulation is responsible for making certain information available to the public and updating the breach notification report. There is no mention of specific penalties in the provided document.
Whom does it apply to?
Persons or agencies that maintain or store personal information about residents of Massachusetts
What does it govern?
Duty to report known security breach or unauthorized use of personal information
What are exemptions?
The duty to report does not require the disclosure of confidential business information or trade secrets, and does not require providing notice to affected residents.
What are the Penalties?
Not specified in the provided document.
Jurisdiction
Massachusetts