Massachusetts’ data breach information now available exclusively online

The Massachusetts Office of Consumer Affairs and Business Regulation has introduced a web-based data breach notification archive.

The archive gives access to the public and media to allow greater transparency in data breaches, highlighting those that fail to notify their customers/users of a data breach.

Massachusetts’ Law

According to the Massachusetts Data Security Law, it requires any entity that keeps Massachusetts resident’s personal information to notify affected residents of a data breach; whether the breach was caused accidentally or intentionally.

Prior to the data breach notification archive, data breach information was only available to those who requested it from the Office of Consumer Affairs through the Public Records Request.

Epidemic issue of data breaches

Data breaches have been a global issue for many years. It’s also common knowledge that data breaches affect individuals to thousands or millions of people. With such sensitive information in danger, the Massachusetts’ government have been proactive in fighting against cyber-criminals in the hope of protecting their citizens’ personal information.

Greater transparency and openness

I believe Massachusetts’ strategy will create greater awareness of data protection principles and will hold businesses and organisations accountable for their actions should they breach their customers or users personal data. This is supported by Consumer Affairs Undersecretary, John Chapman, who reiterates the importance of transparency:

“…making it easily accessible by putting it online is not only in keeping with the guidelines suggested in the new Public Records law, but also with Governor [Charlie] Baker’s commitment to greater transparency throughout the Executive Office.”

Goals

It has been quite the game changer since Governor Baker’s updated the Public Records Law. It created an expectation on certain public records to be published online. Individual agencies were also authorised to post public record information of significant interest that agencies deem appropriate. This is a good approach to have as it allows independent agencies to express their viewpoint.

The Office of Consumer Affairs and Business Regulation seeks to achieve two goals:

1. To protect and empower consumers through advocacy and education, and
2. To ensure a fair playing field for all Massachusetts businesses.

Pre-emption

I believe the data breach notification system may create a perception of more data breaches. This is because businesses and organisations may report their data breaches as a pre-emptive method instead of attempting to hide the breach but then later be found out by the public or media.

Though it might highlight businesses and organisations’ unwillingness to participate in this data breach notification archive, they don’t have any other option. I hope this will gently assist businesses and organisations to be as open and transparent as possible.

It’s now for other states to recognise and realise that without such regulation, businesses, organisations and cyber-criminals will go on to breach and exploit more personal information.

Will others follow suit?

With data breaches in the U.K. being one of the highest across the globe, maybe it’s time for the U.K. to follow suit.

Some may say it’s naming and shaming. I would argue that it’s preventing and protecting citizens from potential data breaches. It could really push organisations to think more seriously about their cyber security policies too.