Massachusetts Data Breach Notification Laws: Reporting Rules & Timelines (2026)

Massachusetts operates one of the most demanding data breach frameworks in the United States. Unlike states that rely solely on notification rules, Massachusetts pairs its breach notification statute, Mass. Gen. Laws ch. 93H, with a separate regulation, 201 CMR 17.00, that mandates proactive data security measures. Together, they create a two-pronged obligation: protect personal information before a breach happens, and follow strict reporting and remediation steps if one occurs.

This guide covers who must comply, what triggers notification, reporting requirements, the mandatory Written Information Security Program (WISP), penalties, and how consumers can pursue damages. For the broader privacy landscape, see our [Massachusetts Data Privacy Laws](/us-laws/data-privacy-laws/massachusetts-data-privacy-laws) overview.

Who Must Comply

Massachusetts breach notification law applies to any person or agency that owns or licenses data containing the personal information of Massachusetts residents. This includes businesses, nonprofits, government agencies, and third-party service providers. The law reaches entities located outside Massachusetts if they hold data on Commonwealth residents.

Third-party data custodians (companies that maintain data on behalf of another entity) have their own obligation. When a custodian discovers a breach or unauthorized access, they must notify the data owner or licensor immediately. The data owner then carries the responsibility for notifying the state and affected individuals.

State executive department agencies face an additional requirement: they must also notify the Executive Office of Technology Services and Security and the Division of Public Records.

What Triggers a Notification

Definition of a Breach

Under Section 1 of Chapter 93H, a "breach of security" means the unauthorized acquisition or unauthorized use of unencrypted data, or encrypted data together with the confidential process or key, that creates a substantial risk of identity theft or fraud against a Massachusetts resident.

A good-faith acquisition of personal information by an employee or agent does not count as a breach, as long as the information is not used improperly or disclosed to unauthorized parties.

Protected Personal Information

The notification duty applies when a breach involves a resident's first name (or first initial) and last name combined with any of the following:

• Social Security number
• Driver's license number or state-issued identification card number
• Financial account number, or credit or debit card number (with or without any required security code, access code, PIN, or password that would allow access to the account)

Publicly available information and lawfully accessible government records are excluded from this definition.

Encryption Safe Harbor

Massachusetts provides a clear encryption safe harbor. The statute defines "encrypted" as the transformation of data through a 128-bit or higher algorithmic process into a form with a low probability of being readable without the confidential process or key. If breached data was properly encrypted and the encryption key was not also compromised, no notification is required.

The Department of Consumer Affairs and Business Regulation has authority to update the encryption standard by regulation as technology evolves.

Notification Requirements

Timeline

Massachusetts requires notification "as soon as practicable and without unreasonable delay" after discovery of a breach or unauthorized use of personal information. The state does not set a fixed number of days. Courts and regulators evaluate reasonableness based on the circumstances, including the scope of the breach and the investigation needed.

Who Must Be Notified

Under Section 3 of Chapter 93H, data owners or licensors must notify three parties:

1. The Massachusetts Attorney General
2. The Director of Consumer Affairs and Business Regulation (OCABR)
3. Each affected Massachusetts resident

The OCABR director also identifies relevant consumer reporting agencies and state agencies that must receive notice. The breaching entity is responsible for notifying those additional agencies.

What the AG and OCABR Notice Must Include

Notification to the Attorney General and the OCABR must contain detailed information, including:

• The nature of the breach or unauthorized acquisition/use
• The number of Massachusetts residents affected at the time of notification
• The name and address of the person or agency that experienced the breach
• The name, title, and relationship of the person reporting the breach
• The type of person or agency reporting
• The party responsible for the breach, if known
• The types of personal information compromised (SSN, driver's license, financial account numbers, etc.)
• Whether the entity maintains a Written Information Security Program (WISP)
• Steps the entity has taken or plans to take in response to the incident

If the breached entity has a parent or affiliated corporation, that information must also be disclosed.

What the Consumer Notice Must Include

Notice to affected residents must include:

• The resident's right to obtain a police report
• How to request a security freeze, and a statement that security freezes are free
• Information about mitigation services being offered

Notably, the consumer notice must not include the nature of the breach or the number of affected residents. This restriction prevents details from reaching potential bad actors through mass notifications.

Methods of Notice

Notice may be provided in writing, electronically (if the entity has a prior electronic relationship with the resident), or through substitute notice. Substitute notice is permitted when the cost of direct notice exceeds $250,000, the affected class exceeds 500,000 residents, or the entity lacks sufficient contact information. Substitute notice requires email notification (if addresses are available), conspicuous website posting, and notification through major statewide media.

Public Posting Requirement

The OCABR must post sample consumer notification letters on its website within one business day of receipt. Breach reports are updated within ten business days.

Credit Monitoring for SSN Breaches

When a breach includes Social Security numbers, Section 3A imposes additional requirements that go beyond standard notification.

The breached entity must contract with a third-party provider to offer free credit monitoring services to each affected Massachusetts resident for at least 18 months. If the breached entity is a consumer reporting agency, the minimum monitoring period extends to 42 months.

The credit monitoring arrangement comes with strict consumer protections:

• The contract cannot include reciprocal service agreements or fees charged to affected residents
• The provider must supply all enrollment information needed to activate coverage
• Information about placing a credit report security freeze must be included
• Residents cannot be required to waive their private right of action as a condition of accepting credit monitoring

The breached entity must file a certification with both the Attorney General and the OCABR confirming that its credit monitoring services comply with Section 3A.

Written Information Security Program (WISP) Requirements

Massachusetts stands out nationally for requiring proactive data security measures, not just breach response. 201 CMR 17.00, issued under the authority of Chapter 93H Section 2, requires every person or entity that owns or licenses personal information of Massachusetts residents to develop, implement, and maintain a comprehensive Written Information Security Program.

The WISP must be proportional to the organization's size, scope, available resources, amount of stored data, and the sensitivity of the information involved.

Administrative Safeguards

Under 201 CMR 17.03, the WISP must address:

• Designated security coordinator. One or more employees must be assigned to maintain and supervise the WISP.
• Risk assessment. The entity must identify and evaluate reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of personal information records.
• Employee training. Ongoing training for all employees, including temporary and contract workers, on security policies and the proper handling of personal information.
• Compliance monitoring. Regular review of employee compliance with the WISP.
• Security policies for off-site records. Rules governing how employees store, access, and transport records outside business premises.
• Disciplinary measures. Consequences for employees who violate the WISP.
• Terminated employee access. Procedures to prevent former employees from accessing personal information.
• Vendor management. Third-party service providers must be contractually required to implement and maintain appropriate security measures. Entities must select vendors capable of maintaining these protections.
• Physical safeguards. Reasonable restrictions on physical access to records, including locked facilities, storage areas, or containers.
• Annual review. Security measures must be reviewed at least annually, or whenever a material change occurs in business practices that affects personal information security.
• Incident response. Documentation of responsive actions taken after a breach incident, including a mandatory post-incident review.

Technical Safeguards

Under 201 CMR 17.04, entities that electronically store or transmit personal information must implement specific computer system security requirements:

• Secure authentication protocols. Control of user IDs and identifiers, reasonably secure password assignment methods, or use of biometrics or token devices. Passwords must be stored securely, access must be limited to active users, and accounts must lock after repeated failed login attempts.
• Access control. Restrict personal information access to those who need it for their job duties. All users must have unique identifications and passwords (not vendor-supplied defaults).
• Encryption. All records and files containing personal information must be encrypted when transmitted across public networks, transmitted wirelessly, or stored on laptops and portable devices.
• System monitoring. Reasonable monitoring for unauthorized use of or access to personal information.
• Firewalls and patches. Reasonably up-to-date firewall protection and operating system security patches for internet-connected systems.
• Malware protection. Current security software with malware protection and reasonably up-to-date patches and virus definitions.
• Employee education. Staff training on proper system usage and the importance of personal information security.

Delay for Law Enforcement Investigations

Under Section 4 of Chapter 93H, notification may be delayed if a law enforcement agency determines that notice would impede a criminal investigation. The entity must cooperate with the investigating agency and provide notification as soon as the delay is no longer necessary.

Penalties and Enforcement

Attorney General Enforcement

Section 6 of Chapter 93H authorizes the Massachusetts Attorney General to bring an action under Section 4 of Chapter 93A to remedy violations. This means every breach notification violation is treated as an unfair or deceptive act or practice under Massachusetts consumer protection law.

The AG can seek:

• Injunctive relief to stop ongoing violations
• Civil penalties of up to $5,000 per violation
• Costs of investigation and litigation, including reasonable attorneys' fees

Given that a single data breach can affect thousands of residents, and each failure to notify can constitute a separate violation, the total penalty exposure can be substantial.

Private Right of Action

Massachusetts is one of a limited number of states that allows individuals to bring private lawsuits for breach notification violations. Through Chapter 93A, consumers can pursue civil claims against entities that fail to comply with Chapter 93H.

Key features of the private right of action:

• Pre-suit demand letter. Before filing suit, a consumer must send a demand letter to the business. The business has 30 days to respond with a reasonable settlement offer.
• Treble damages. If the court finds the violation was willful or knowing, damages may be doubled or tripled under Chapter 93A.
• Attorneys' fees and costs. Prevailing plaintiffs can recover reasonable attorneys' fees and litigation costs.
• Statute of limitations. Claims under Chapter 93A must be filed within four years of the violation.

This combination of AG enforcement and private suits makes Massachusetts one of the highest-risk states for entities that fail to comply with breach notification requirements.

Recent Enforcement Activity

Massachusetts has actively pursued enforcement actions. In August 2025, AG Campbell reached a $795,000 settlement with a property management company for delayed breach notification and failure to implement required security measures. The state has also participated in major multistate settlements, including a $16 million recovery from Experian and T-Mobile and a $39.5 million multistate settlement with a national insurance company.

Federal Preemption and Other Laws

Section 5 of Chapter 93H addresses how the state law interacts with other legal frameworks. Entities subject to Title V of the Gramm-Leach-Bliley Act (GLBA) that maintain security procedures under federal guidelines are considered in compliance with the 201 CMR 17.00 WISP requirements, though they must still comply with the Chapter 93H notification provisions.

Chapter 93H does not limit any rights that a consumer may have under any other state or federal law.

How Massachusetts Compares to Other States

Massachusetts has one of the strongest combined data security and breach notification frameworks in the country. Several features set it apart:

• Mandatory WISP. Most states require only breach notification. Massachusetts also mandates proactive security programs with specific administrative, technical, and physical safeguards.
• Dual agency notification. Both the AG and OCABR must be notified, along with additional agencies identified by the OCABR director.
• 18-month credit monitoring. Many states do not require credit monitoring at all. Massachusetts mandates it for SSN breaches, with an extended 42-month period for consumer reporting agencies.
• Private right of action with treble damages. Through Chapter 93A, consumers can sue directly and recover up to triple their damages for willful or knowing violations.
• 128-bit encryption standard. Massachusetts defines a specific encryption threshold in statute, providing clear compliance guidance.

More Massachusetts Laws

• Massachusetts Recording Laws
• Massachusetts Recording Laws
• Massachusetts Recording Laws
• Massachusetts Data Privacy Laws
• Massachusetts Recording Laws
• Massachusetts Recording Laws
• Massachusetts Recording Laws
• Massachusetts Recording Laws

Sources and References

This article draws from the following official Massachusetts government sources:

• Mass. Gen. Laws ch. 93H (Security Breaches) - Full text of the Massachusetts data breach notification statute
• Chapter 93H, Section 1: Definitions - Statutory definitions including personal information and encryption
• Chapter 93H, Section 3: Duty to Report - Notification requirements and content mandates
• Chapter 93H, Section 3A: SSN Breaches - Credit monitoring requirements
• 201 CMR 17.00: Standards for Protection of Personal Information - WISP regulation
• 201 CMR 17.03: Duty to Protect - Administrative safeguard requirements
• 201 CMR 17.04: Computer System Security Requirements - Technical safeguard requirements
• Reporting Data Breaches to the AG - Attorney General breach reporting portal
• Reporting Data Breaches to OCABR - OCABR breach reporting portal
• AG Campbell $795,000 Settlement (2025) - Recent enforcement action

This article provides general legal information about Massachusetts data privacy laws and breach notification requirements. It is not legal advice, and it does not create an attorney-client relationship. Data breach response involves time-sensitive obligations. Consult a qualified attorney licensed in Massachusetts for guidance specific to your situation.