Massachusetts

• A natural person, corporation, association, partnership or other legal entity, or any agency, executive office, department, board, commission, bureau, division, or authority of MA, or any of its branches, or any political subdivision thereof (collectively, Entity) that owns, licenses, maintains, or stores data that includes PI about a resident of MA.
o The provisions governing maintenance of PI are applicable to any Entity maintaining information on MA residents, whether or not organized or licensed under the laws of MA.
• An unauthorized acquisition or unauthorized use of unencrypted data or encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of PI, maintained by an Entity that creates a substantial risk of identity theft or fraud against a MA resident.
o A good-faith but unauthorized acquisition of PI by an Entity, or employee or agent thereof, for the lawful purpose of such Entity, is not a breach of security unless the PI is used in an unauthorized manner or subject to further unauthorized disclosure.
• A resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relates to such resident:
o Social Security number;
o Driver’s license or state-issued identification card number; or
o Financial account number or credit card number, with or without any required security code, access code, personal ID number, or password, that would permit access to a resident’s financial account.
• The Standard adopts a risk-based approach to information security, meaning that a business should take into account “the particular business size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security.” Commonwealth of Massachusetts Office of Consumer Affairs and Business Regulation, “Frequently Asked Questions Regarding 201 CMR 17.00,” Nov. 3, 2009, available at http://www.mass.gov/ocabr/docs/idtheft/201cmr17faqs.pdf.
• PI does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.