During the March 23, 2016 “Protecting Data and Dealing with Breaches” panel that I chaired for Massachusetts Continuing Legal Education (MCLE), Assistant Attorney General Sara Cable identified some “red flags” that the Office’s Data Privacy and Security Unit looks for when reviewing data breach notices under Massachusetts law.
All companies (including non-Massachusetts based) holding personal information of Massachusetts residents should know that the presence of these “flags” may increase the likelihood of agency inquiries (by email, phone or letter) or formal investigations (typically by a Civil Investigative Demand) under Massachusetts consumer protection statutes (including G.L. c. 93A), data breach statutes (including G.L. c. 93H and 93I) and its toughest in the nation data security rules (at 201 CMR 17.00).
Based on my reading of Assistant Attorney General Cable’s remarks – speaking in her personal rather than official capacity – key triggers may include:
- Size of Breach. The larger the number of affected consumers, the greater the likelihood that the Attorney General will inquire with applicable data breach or consumer protection laws and rules.
- Nature of Affected Consumers. Irrespective of the number of affected consumers, if a breach involves consumers who are members of disadvantaged or vulnerable groups such as children, the elderly, the disabled community, or racial, ethnic or religious minorities, then the Attorney General is likely to pay particular attention.
- Nature of Breach. The Attorney General is likely to inquire as to breaches that appear to have been avoidable through reasonable diligence, such as repeated breaches involving the same or similar defective practice or policy (e.g., multiple losses of unencrypted laptops) or losses caused by a well-known system vulnerability that should have been long remedied.
- Quality (or Lack Thereof) of the Breach Notice. A usually vague or patently noncompliant breach notice, or a failure to provide the required notice at all, is likely to trigger follow-up inquiries, especially when combined with one of the above flags.
- Speed of Breach Notice. Even though companies experiencing a breach are afforded “reasonable time” (a term with substantial flexibility under applicable law) to meet breach reporting obligations, the Attorney General may undertake investigations when a response appears to be unusually slow relative to the extent of potential harms – commonly flagged when the Attorney General begins receiving consumer complaints in advance of any required reporting.