Subject Entities |
Applies to all individuals, business, governmental agencies, and any other entities that otherwise handle personal information under the statute. |
Security Standard |
Implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. |
Disposal/Destruction Standard |
Must take reasonable steps to destroy or arrange for the destruction of any records within its custody or control containing personal information when such entity no longer intends to maintain or possess such records. Destruction must be by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means. |
Type of Data Covered |
Electronic. |
Definitions |
“Personal information” means a resident’s first name or first initial and last name, in combination with one or more of the following unencrypted and unredacted data elements:
|
Methods of Compliance |
Statute does not define “reasonable procedures and practices” or “reasonable care” to protect personal information from unauthorized access, destruction, use, modification or disclosure. Compliance with Massachusetts information security standard recommended. |
Enforcement and Penalties |
Individuals who suffer actual damages from a failure to timely disclose a breach may bring a civil action. |
Last updated: January 2024