According to the Massachusetts Data Breach notification regulation M.G.L. 93H, notices of a breach must be provided to the affected resident, the Attorney Generals office and to the Office of Consumer Affairs and Business Regulation (OCABR)
You must also tell the affected residents OF the breach, but you can not tell then ABOUT the breach. OCABR has created its own notice submission portal which is a separate form and not just a place to upload a copy of the Attorney Generals notice.
Massachusetts Data Breach Notification – OCABR states “It is important to note that this electric submission form satisfies the notification requirement for OCABR. The submission does not receive businesses of their legal obligation to separately notify the Attorney Generals Office and the affected Massachusetts residents”
For more information visit Massachusetts Data Security Law.
If you would like support in implementing this important regulation into your business, updating your incident response plan, or establishing the required HIPAA Risk Assessment, review Crown Business Coaching Groups Risk Management, Compliance Support programs, or Contact directly.