The Massachusetts Office of Consumer Affairs and Business Regulation announced it will start to make its data breach notification archive publically accessible online. The records are currently only available by way of a public records request.
Consumer Affairs Undersecretary John Chapman commented, “The Data Breach Notification Archive is a public record that the public and media have every right to view. Making it easily accessible by putting it online is not only in keeping with the guidelines suggested in the new Public Records Law, but also with governor Baker’s commitment to greater transparency throughout the Executive Office.”
Data Breach Notification Law
According to the state’s data breach notification law, organizations are required to notify state residents whose personal information is compromised in a data breach. However, organizations are prohibited from including the nature of the breach, or the number of individuals affected, in the notice.
State law also requires organizations to provide notice to the state attorney general. In that notification, organizations must include the nature of the breach along with a copy of the notice sent to affected individuals.
California, Oregon, Maryland, and New Hampshire have similar practices in their state data breach notification laws. Those states post a copy of the attorney general notification letter online.
With increased public disclosure of data breaches, organizations will need to prepare for an increase in transparency around data breaches. Smaller incidents that might not otherwise generate much attention will be public information.