Take a few hours, look at your data, and submit an online form. That’s all you may have to do!
For this article, our focus is on small to medium sized businesses based in Massachusetts.
First, if you leaked thousands of Social Security numbers, then this article isn’t for you.
If your company was attacked with ransomware and thousands of financial records were exposed, you already know you’re in hot water – you’re already working with lawyers, insurance, and collaborating with IT on containment. At this point you shouldn’t have questions about whether to disclose the breach.
But what if your breach was small?
Your breach may be relatively small. Perhaps your email was compromised, a file was misdirected, a laptop is hopelessly lost, or a google drive folder was shared too broadly.
You may be thinking:
“It only affected a few people” or
“I don’t think anyone was affected” or
“I don’t have social security numbers or credit cards in my email”
“It is completely reasonable in most small breach situations, to just follow a few simple steps.”
As the IT department, we’re often asked how to respond to this kind of situation. As such, we understand that there’s a balancing act between legal counsel ($ expensive) and input from IT experts who follow industry standards analyzing and responding to these issues. It is completely reasonable in most small breach situations, to just follow a few simple steps.
Here’s a couple quick questions to help you figure out whether you need to comply with notification laws
1) Do you know with 100% certainty that there was no exposure. (Most people will answer NO) If IT can rule out any access, you don’t need to worry or proceed with notification. This could be because perhaps you got a SPAM email and clicked on a link but never entered your credentials. Or perhaps you did provide credentials, but IT changed your password right away and confirmed your account wasn’t accessed.
2) Are you 100% sure there was not a single credit card/account number, social security number, or similar kind of information in the data exposed. (Most people will answer NO) This is a hard one because most people generally don’t have this information. But what if you you were sent information about a potential HR hire and the SSN was included in the pdf? What if a client emailed you saying “please use this credit card instead 4564-5646-6565”. If you’re retaining 10 years of email, are you 100% sure this never ever happened???
Most of the time the answer to these questions will be “Maybe”. 95% of the time the answer is “Maybe”
One way to evaluate your risk on this question is to evaluate the following:
- Look at employee role: would they ever handle this kind of data, even remotely
- How old / large is the data in question? If an mailbox is only a few months old, the risk will be relatively lower
- Search email contents: Have IT search email contents for red flags such as “SSN”, “Credit Card” and “DOB”
Here’s the Good News: You Might Only Need to File a Form
Here’s the thing, Most reported breaches are small.
To put things into perspective, of the approx 2300 breaches reported in MA in 2023, 70% of them affected fewer than 10 people. Almost HALF of all reported breaches (47%) were just for 1 person. (ref: https://www.mass.gov/lists/data-breach-notification-reports)
If you think just a single person’s personal or financial data was exposed – you should notify the state.
Do I have to send a letter to affected individuals?
“my guidance is to spend at least a few hours searching your data”
If you’re not sure anyone’s personal info was exposed, you might not need to tell them. It’s important that you honestly try and look for individual information in your exposed data so you can ascertain whether you have someone to notify. There is no exact science to how much effort to spend on this search as it should be balanced with the risk assessment above. If your data is small (single email box of a few years) my guidance is to spend at least a few hours searching your data. If you come up empty, document what you did. Did you perform a ‘good faith’ effort to locate personal information?
What will we need to do
In summary, you have to notify the state and need to notify the affected users (if you know who they are).
“If you determined there was no need to notify individuals, here’s what to say”
Notification to the State:
For MA, you’ll need to submit two short forms online . One to the Attorney Generals (AG) office and another to the Office of Consumer Affairs and Business Regulation (OCABR).
• AG Notification Form: https://www.mass.gov/forms/data-breach-notification
• OCABR Notification: https://www.mass.gov/how-to/file-a-security-breach-notification
Some things you’ll need to include in the online form:
– brief non technical description
– the kind of data involved (email, dropbox, etc)
– how many MA residents were affected
– whether law enforcement or other services were involved
– whether your company has a Written Information Security Program (WISP)
– Note: The forms don’t ask about your WISP explicitly — you must manually include it in your breach description.
– You’ll need to include whether, when and how the individuals were notified. If you determined there was no need to notify individuals, here’s what to say:
Option A) “We conducted a targeted search of a compromised mailbox based on high-risk keyword patterns and found no evidence of MA-defined personal information.”
Or Option B) “On [date], mailbox [user] was compromised. We reviewed the employee’s role and content of the account using [search method]. We found no evidence that MA-defined personal information was accessed. No notification required under M.G.L. c. 93H.”
Notification to Individuals
You will need to notify the people whose data might have been exposed in the breach. This should be done by mail or email. You need tell them about the data that was involved (SSN / Bank account etc). You should tell them they have a right to file a police report and provide them some instructions on how they might freeze their credit (and that there are no costs for this). If you want to offer credit monitoring, let them know. You SHOULD NOT inlclude details of the breach or how many people were affected.
Letter to Individuals.
Here a sample letter you might send to a small number of people that were affected by a breach
Subject: Notice of Data Security Incident
Dear [First Name],
We are writing to inform you of a recent data security incident that may have involved some of your personal information.
What happened
On [Date of Discovery], we discovered that an unauthorized individual gained access to an employee email account. After investigating, we determined that one or more emails in the account may have contained your name along with your bank account number.
What information was involved
The information potentially exposed included your first and last name and your bank account number. No passwords, Social Security numbers, or access codes were involved.
What we are doing
We took immediate steps to secure the affected email account and prevent further access. We also reviewed the contents of the account and are contacting all individuals whose information may have been exposed.
While we have no evidence of misuse, we are providing this notice out of an abundance of caution. We are also enhancing our internal controls and training to prevent similar incidents in the future.
What you can do
We recommend that you monitor your bank account for any unauthorized activity. If you notice anything suspicious, contact your bank immediately.
You have the right to obtain a police report regarding this incident. You may also place a security freeze on your credit file at no cost. Instructions for requesting a security freeze from each of the major credit bureaus are available below:
• Equifax: 1-800-349-9960 or www.equifax.com
• Experian: 1-888-397-3742 or www.experian.com
• TransUnion: 1-888-909-8872 or www.transunion.com
There is no charge to place, lift, or remove a security freeze.
For more information
If you have any questions or concerns, please contact us at [Your Contact Name], [Your Phone Number] or [Your Email Address].
We sincerely regret any inconvenience this may cause.
Sincerely,
[Your Full Name]
[Your Title / Business Name]
[Company Contact Info]
–
Small breaches still matter. A little effort now can prevent a lot of trouble later—and help you meet your legal obligations with confidence.
Scott Morabito is a technologist and founder of TechTonic. He is a computer scientist and resides in Concord MA
Other recent posts
