Effective October 31, 2007, thirty-nine states have laws to protect their residents against identity theft by requiring that individuals, and frequently the state attorney general, receive prompt notification of a data breach involving their personal information. Organizations maintaining large electronic databases containing personal information for multitudes of individuals from multiple jurisdictions will be subject to several such state laws. But even the small or mid-sized company with business operations in just one state is likely to have a human-resource database containing personal identifiers for its own employees. Not only do such databases fall within the reach of such laws, but, if some of the company’s employees commute (or tele-commute) from neighboring states, the company may be required to comply with more than one such state statute in the event of a data breach.
Massachusetts is the latest state to enact such a law and its provisions are illustrative of how various states have sought to protect against identity theft. The law defines personal information” to include an individual’s first name or initial and last name in combination with their Social Security number, driver’s license or state identification card number, or financial account or credit card information that would permit access to same. The law applies to any person or entity that owns, licenses, maintains, or stores such information relating to Massachusetts residents either electronically or in paper files. It defines what constitutes a breach of such a database (which does not require a substantial risk of identity theft in all instances) and requires that timely written notification of such a breach be provided to the Massachusetts Attorney General, the state Office of Consumer Affairs and Business Regulation (“OCABR”) and any affected Massachusetts resident. The new law authorizes the state Attorney General to bring civil actions for violations of its requirements and charges the OCABR with developing regulations to safeguard databases containing personal information.
In light of the variations in state data breach notification laws, entities faced with security incidents should consult experienced counsel to determine whether, when and to whom notice must be sent. The text of Chapter 82 of the Acts of 2007 can be found at http://www.mass.gov/legis/laws/seslaw07/sl070082.htm. On January 11, 2008, the OCABR held hearings on its draft regulations, which can be found at the agency’s website.