If you have had to provide data breach notices across any number of states (and who hasn’t….), you would know that they vary widely in how those notices must be provided to state regulators. In some states (for example, California, North Carolina, Indiana, and New York), the Attorney General’s office has established an online portal that must be used for breach notices. In still other states, notice letters must be sent to one or multiple regulators.
Pursuant to the Massachusetts data breach notification statute, M.G.L. 93H, notices must be provided to the affected resident, the Attorney General’s office and to the Office of Consumer Affairs and Business Regulation (OCABR). It is not enough that Massachusetts has a sui generis breach notice content statutory requirement (you must tell affected residents of the breach, but you can’t tell them about the breach), now the OCABR has created its own notice submission portal that is a separate form and not just a place to upload a copy of the AG notice. A letter sent out earlier this month also says “It is important to note that this electronic submission form only satisfies the notification requirement for OCABR. The submission does not relieve businesses of their legal obligation to separately notify the AGO and the affected Massachusetts residents.”
Make sure you update your incident response plan to account for this additional notice requirement.