Massachusetts Attorney General Creates Data Privacy and Security Division
The Massachusetts Office of the Attorney General has created a new Data Privacy and Security Division. This Division is charged with protecting consumers from the threats to the privacy and security of their data. The Attorney General, Maura Healey, announced “The Data Privacy and Security Division will build on our office’s commitment to empowering Massachusetts consumers in the digital economy, ensuring that companies are protecting personal data, and promoting equal and open access to the internet.”
Attorney General Healey announced that the Data Privacy and Security Division will “investigate and enforce the Massachusetts Consumer Protection Act and Data Breach Law to protect the security and privacy of consumers’ data.” This new Data Privacy and Security Division is the latest development in increasing efforts by Massachusetts officials to address cybersecurity concerns. In the Fall of 2019, Massachusetts Governor Charlie Baker introduced an expansive cybersecurity program, including statewide workshops for municipalities to work together to enhance their cybersecurity capabilities.
Notably, last Spring, Massachusetts updated its data breach notification law with changes that are likely to create opportunities for enforcement by the division. In particular, the new law expanded the content requirements for notifications to the Attorney General and Office of Consumer Affairs and Business Regulation (OCABR) to include, among other things, whether the business that experienced the breach maintains a written information security program (WISP) and whether they have updated the WISP. Employers maintaining personal information of Massachusetts residents should revisit their incident response plan (or develop one).
Employers operating in Massachusetts or holding data on Massachusetts residents should be aware of the focus that Governor Baker and Attorney General Healey have placed on cybersecurity. These Massachusetts programs highlight the importance of conducting risk assessments to identify and address potential vulnerabilities to hackers as well as security risks created by employees and contractors.