Massachusetts Data Breach Notification Packet
(M.G.L. c. 93H compliant; prepared for immediate attorney customization)
[// GUIDANCE: This packet contains two separate lettersâone for the Massachusetts Attorney General/Office of Consumer Affairs & Business Regulation (âAG/OCABR Letterâ) and one for affected Massachusetts residents (âConsumer Letterâ). All bracketed items must be completed or removed prior to issuance. DO NOT interchange the letters; different statutory content rules apply.]
TABLE OF CONTENTS
- Document Header & Global Placeholders
- Definitions
- AG/OCABR Letter (Statutory Notice)
- Consumer Letter (Resident Notification)
- Optional Attachment A â Credit Monitoring Enrollment Instructions
- Execution Block
1. DOCUMENT HEADER & GLOBAL PLACEHOLDERS
[ORGANIZATION LETTERHEAD]
Effective Date of Notice: [MM/DD/YYYY]
Incident/Breach Reference No.: [INTERNAL ID]
2. DEFINITIONS
(Alphabetical; delete unused definitions)
âBreachâ â The incident described in Section 3.
âCovered Informationâ â Personal information as defined in Mass. Gen. Laws ch. 93H, § 1.
âIndividualâ â Each Massachusetts resident receiving the Consumer Letter.
âOrganizationâ â [Legal Name of Notifying Entity], including all relevant subsidiaries.
3. AG/OCABR LETTER
(Send simultaneously to both the Massachusetts Attorney General and the Office of Consumer Affairs & Business Regulation; may be submitted via the OCABR web portal.)
To:
1. Office of the Attorney General, Commonwealth of Massachusetts
One Ashburton Place, Boston, MA 02108
2. Office of Consumer Affairs & Business Regulation
501 Boylston Street, Suite 5100, Boston, MA 02116
Re: Notice of Data Breach Pursuant to Mass. Gen. Laws ch. 93H, § 3(b)
3.1 Identity of Organization
⢠Legal Name: [Legal Name]
⢠Principal Address: [Street, City, State, ZIP]
⢠Point of Contact: [Name, Title], [Phone], [Email]
3.2 Incident Overview
On [Date of Discovery], the Organization determined that unauthorized [access to/acquisition of] Covered Information occurred on or about [Approximate Breach Date Range] (the âBreachâ). The Breach resulted from [brief factual nature â e.g., phishing attack, lost encrypted laptop, third-party vendor compromise].
3.3 Scope of Impact
⢠Total Massachusetts residents affected (as of this notice): [Number]
⢠Total U.S. residents affected (all states): [Number]
⢠Approx. records involved: [Number/âUndeterminedâ]
3.4 Categories of Covered Information Compromised
â Social Security number
â Driverâs license/state ID number
â Financial account/credit card information
â Medical information or insurance ID number
â Other: [Describe]
3.5 Remediation & Containment Measures
The Organization has:
1. Contained the incident by [action];
2. Engaged independent cybersecurity specialists to conduct forensic analysis;
3. Implemented multi-factor authentication and enhanced monitoring;
4. Notified federal law-enforcement (if applicable) on [Date].
3.6 Consumer Notification & Timing
Consumer notices are being mailed/e-mailed on [Mailing Date], which is within 30 days of discovery, satisfying Mass. Gen. Laws ch. 93H, § 3(a).
3.7 Credit Monitoring (if SSNs involved)
The Organization will provide [18 / 42] months of complimentary credit monitoring in compliance with Mass. Gen. Laws ch. 93H, § 3A. See Attachment A.
3.8 Contact for Regulatory Follow-Up
[Name, Title]
[Direct Phone] ⢠[Email]
Respectfully submitted,
[Authorized Signatory Name]
[Title]
[Organization]
4. CONSUMER LETTER
(Must NOT include: (a) nature of the breach, (b) number of persons affected, or (c) detailed remediation steps. See Mass. Gen. Laws ch. 93H, § 3(b).)
[DATE]
[First Name Last Name]
[Address]
[City, State ZIP]
Subject: Important Notice About Your Personal Information
Dear [First Name],
What Happened
We recently discovered that certain personal information belonging to you was involved in an incident (the âIncidentâ) on [Approx. Date Range].
What Information Was Involved
Based on our review, the Incident involved one or more of the following data elements associated with you:
⢠[List each category selected in § 3.4]
What We Are Doing
⢠We secured the affected systems and enhanced our safeguards.
⢠To help protect you, we are offering [18 / 42] months of complimentary credit monitoring and identity-theft protection services at no cost. Enrollment instructions appear in Attachment A.
What You Can Do
- Obtain a Police Report: You have the right to file or obtain a copy of a police report concerning identity theft.
- Place a Fraud Alert: Contact any one of the three nationwide credit-reporting agencies to request a fraud alert:
⢠Equifax â 800-525-6285 | equifax.com
⢠Experian â 888-397-3742 | experian.com
⢠TransUnion â 800-680-7289 | transunion.com - Security Freeze (Free of Charge): Under state law, you may place, lift, or remove a security freeze at no cost. Contact the credit-reporting agencies using the information above or visit their websites.
- Remain Vigilant: Review account statements and credit reports promptly. Report suspected identity theft to law enforcement.
For More Information
If you have questions, please call [Toll-Free Number] MondayâFriday, [Hours, Time Zone], or email [Dedicated Incident Email].
We regret any inconvenience or concern this Incident may cause and remain committed to protecting your information.
Sincerely,
[Authorized Signatory Name]
[Title]
[Organization]
Attachment A â Credit Monitoring Enrollment Instructions
[// GUIDANCE: Insert vendor name, website, telephone, unique activation code, and enrollment deadline (minimum 90 days from letter date). Confirm vendor contract satisfies § 3Aâs âno waiver of rightsâ prohibition.]
5. EXECUTION BLOCK
Executed on behalf of the Organization on [MM/DD/YYYY].
[Name] | [Title]
(Seal, if corporate)
[// GUIDANCE:
1. File copies of both letters and any portal submission confirmation.
2. If > 10 Massachusetts residents are affected, also notify the nationwide credit-reporting agencies under § 3(b)(iii).
3. Maintain evidence of mailing to each consumer (e.g., USPS Certificate of Mailing).
4. Re-evaluate within 30 days for any material changes requiring supplemental notice.]