If you want to find out about how many data breaches there were in Massachusetts in any given year and what companies were involved, you can now do that online. The Massachusetts Office of Consumer Affairs and Business Regulation is now making Massachusetts data breach reports involving potential identity theft available to the public in a database on its website. Tara Seals of InfoSecurity magazine reports that in the past, these records could only have been obtained via a public records request. She notes that Massachusetts has been in the forefront of data security and discusses some of these initiatives.
“State law requires that any organization that keeps personal information about a Massachusetts resident notify state officials, as well as affected customers, any time that information is compromised. This includes external hacking incidents, unintentional data leakage and insider mistakes, among other scenarios. It also includes incidents outside of the cyberworld—say, if a briefcase with papers is stolen or misplaced.”
Searchable spreadsheets are available by year from 2007 through 2016. These might be useful to you or your insureds as reference if you or they fear that data might have been at risk. The reports are also instructive in a cautionary way as a reminder of the importance of safeguarding client data privacy. While we think of data breaches being the result of hacks by cyber criminals, most are the result of insiders – either through careless handing of data or maliciousness. The importance of good internal security and procedures cannot be overemphasized.
What about other states?
The best source for other states that we could find was from the National Council of State Legislatures (NCSL), which compiles information about state data breach legislation. Some of these lists are very helpful as reference – particularly those dealing with notification laws and data disposal laws.
Data Breach Notification Laws – Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information.
2016 Security Breach Legislation – At least 26 states in 2016 have introduced or are considering security breach notification bills or resolutions. Most of these bills would amend existing security breach laws applicable to business, government or educational institutions
Data Disposal Laws – At least 31 states and Puerto Rico have enacted laws that require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable.