In September 2014, the Massachusetts Office of Consumer Affairs and Business Regulation released its 2013 Data Privacy Report, which includes an in-depth analysis of data breaches of personal information of Massachusetts residents during the year of 2013.
The report identifies the type of breaches reported (88% involving electronic records; 12% paper, faxes/mail/e-mail, both paper/electronic) and the industries most affected. Not surprisingly, the financial services industry reflected the most significant activity and accounted for 85% of the total reported breaches, followed by the health care industry (5%). As for the industry with the biggest increase in the number of those affected by data breaches, the education industry saw a massive 611% jump from 5,208 Massachusetts residents affected in 2012 to 31,780 in 2013.
The report also underscores the need for businesses to comply with the Massachusetts data security regulations that came into effect in 2010. Among other requirements, the regulations require any person or entity that owns or licenses personal information of Massachusetts residents to develop and implement a Written Information Security Plan (“WISP”). In addition to further requirements, businesses acting in accordance with a WISP must: (1) designate an individual to maintain and be responsible for the program; (2) identify any reasonably foreseeable data security risks; (3) protect and restrict access to paper and electronic forms of any personal information; and (4) oversee any third party service providers and ensure that those service providers comply with the regulations. More information about the Massachusetts data security regulations can be found in our past client alerts from March 9, 2009, March 17, 2009 and February 17, 2012.
When discussing possible liability of a business related to a data breach, the 2013 Data Privacy Report stated that a business’ “WISP and documentation of steps taken to guard and protect the personal information it retains or entrusts to a third party vendor and its response will be paramount in assessing its degree of culpability in the incident.”
In a year that has seen data breaches of several major corporations, this report serves as a reminder for all businesses to take a proactive approach by: (1) promoting a culture of security within their organizations; (2) committing to the protection of personal information by instituting mechanisms to ensure compliance with all applicable privacy and data protection laws, many of which require the implementation of reasonable administrative, technical, and physical safeguards to protect the confidentiality, and prevent the unauthorized interception, of personally identifiable information; and (3) being prepared to address the effects of a data breach in the event that one occurs.