The Massachusetts Office of the Attorney General has created a new Data Privacy and Security Division. This Division is charged with protecting consumers from the threats to the privacy and security of their data. The Attorney General, Maura Healey, announced “The Data Privacy and Security Division will build on our office’s commitment to empowering Massachusetts consumers in the digital economy, ensuring that companies are protecting personal data, and promoting equal and open access to the internet.”

Attorney General Healey announced that the Data Privacy and Security Division will “investigate and enforce the Massachusetts Consumer Protection Act and Data Breach Law to protect the security and privacy of consumers’ data.” This new Data Privacy and Security Division is the latest development in increasing efforts by Massachusetts officials to address cybersecurity concerns. In the Fall of 2019, Massachusetts Governor Charlie Baker introduced an expansive cybersecurity program, including statewide workshops for municipalities to work together to enhance their cybersecurity capabilities.

Notably, last Spring, Massachusetts updated its data breach notification law with changes that are likely to create opportunities for enforcement by the division. In particular, the new law expanded the content requirements for notifications to the Attorney General and Office of Consumer Affairs and Business Regulation (OCABR) to include, among other things, whether the business that experienced the breach maintains a written information security program (WISP) and whether they have updated the WISP.  Employers maintaining personal information of Massachusetts residents should revisit their incident response plan (or develop one).

Employers operating in Massachusetts or holding data on Massachusetts residents should be aware of the focus that Governor Baker and Attorney General Healey have placed on cybersecurity. These Massachusetts programs highlight the importance of conducting risk assessments to identify and address potential vulnerabilities to hackers as well as security risks created by employees and contractors.

Tags: data breach notification, data breach notification law, Governor Charlie Baker, Massachusetts, Massachusetts Attorney General, Massachusetts Cybersecurity Program, Massachusetts Data Privacy and Security Division
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael R. Bertoncini Michael R. Bertoncini

Michael R. Bertoncini is a principal in the Boston, Massachusetts, office of Jackson Lewis. He is a member of the Healthcare industry group and a member of the Higher Education group.

With a background as a former Deputy General Counsel, Michael understands first-hand…

Michael R. Bertoncini is a principal in the Boston, Massachusetts, office of Jackson Lewis. He is a member of the Healthcare industry group and a member of the Higher Education group.

With a background as a former Deputy General Counsel, Michael understands first-hand the competing demands and unique challenges faced by in-house counsel. Before joining Jackson Lewis, he was responsible for all labor and employment law matters for the largest fully integrated community care hospital system in New England. Michael provides timely, practical advice that helps clients achieve their strategic goals while ensuring compliance with legal obligations.

With deep experience in a broad range of industries, Michael has a keen interest in the healthcare, higher education, museum, and arts & music sectors. He is dedicated to supporting clients in these areas, leveraging his extensive experience to address the specific challenges faced by institutions and organizations in these fields.

Michael regularly partners with clients to establish positive employee relations. In labor relations matters, he negotiates collective bargaining agreements on behalf of organized clients, represents clients in labor arbitrations and National Labor Relations Board proceedings, and counsels clients with respect to rights and obligations under collective bargaining agreements and applicable labor and employment laws. He also has extensive experience in advising organizations responding to corporate campaigns and negotiating neutrality agreements.

Michael’s privacy and data security practice focuses on advising clients on complying with HIPAA and other state and federal privacy and data security laws. He reviews and develops policies and procedures, written information security plans and integrated compliance programs to ensure his clients meet their obligations under privacy and data security laws. Michael represents clients in investigations of alleged data breaches and advises them on reporting obligations.. He also conducts workplace training programs on HIPAA compliance and related privacy and data security topics.

Read more about Michael R. Bertoncini
Show more Show less
Related Posts
A Brief Reminder About the Florida Information Protection Act
March 4, 2025
Firings at the US Privacy and Civil Liberties Oversight Board and Potential Impact on Transatlantic Data Transfers
February 3, 2025
Happy Privacy Day: Emerging Issues in Privacy, Cybersecurity, and AI in the Workplace
January 28, 2025