Data Breaches in Massachusetts

Through September 30, 2011, the largest share of breaches was not in the financial sector, but in the retail and healthcare industries, along with government. On October 31, 2007, the Commonwealth’s Data
Security Breach Law, Mass. Gen. Law c. 93H, went into effect. On March 1, 2010, the Office of Consumer Affairs and Business Regulation’s Data Security Regulations, 201 CMR 17.00, went into effect.

The Office of Consumer Affairs and Business Regulation has been tracking the data breach notifications it has received under the law. As of Sept. 30, 2011, there had been 1,833 notifications of security breaches. The number of Massachusetts residents affected by the reported incidents since November 1, 2007 now totals 3,166,031. (I’m not sure if the report is double counting “resident” who may be involved in more than one data breach. After all, there are fewer than 7 million residents in Massachusetts.)

The biggest breach in 2011 was the Sony Playstation network incident which affected 560,990 residents. The second largest came from the state itself when 245,000 residents were affected by a large malware data breach in the Department of Unemployment Assistance. That puts entertainment and state government into the top two slots for breach types in 2011 and the third and fourth place for breaches since 2007. Health care and financial services are the leading industry for breaches.