Massachusetts Cybersecurity,
Plainly Explained

A free public resource maintained by Jaime Pauline, a Massachusetts-based cybersecurity professional.

Handle an Incident View MA Guidance

If You Think You've Had an Incident

Stay calm. Work through these steps in order. The goal is to limit damage, preserve your options, and understand what happened before making big decisions.

  1. Isolate the affected device. Disconnect it from Wi-Fi and unplug any network cables. This stops the problem from spreading to other systems while you figure out what happened.
  2. Preserve evidence before making changes. Take screenshots of anything unusual. Note what you saw, when you saw it, and what the device was doing. Do not wipe or factory-reset the device yet — that can destroy information you will need later.
  3. Change credentials from a clean, unaffected device. Update passwords for email, banking, and any accounts you used on the affected system. Use a phone or a different computer, not the affected device. Enable multi-factor authentication if you have not already.
  4. Contact your IT provider or managed service provider (MSP). If you have one, call them now. If you do not, consider reaching out to a local IT professional before taking further action. An expert can help you assess scope and avoid mistakes.
  5. Check your backups. Verify that your most recent backup is intact and was not affected. Do not restore from backup until you understand what happened — a compromised backup can reintroduce the problem.
  6. Notify affected individuals if personal information was involved. If you believe personal information of customers, employees, or others may have been accessed or taken, those individuals may need to be notified. Consult counsel before communicating externally about a potential breach.
  7. Report to the Massachusetts Attorney General if required. Under Chapter 93H, if the breach involves personal information of Massachusetts residents, you are required to notify the Office of the Attorney General and affected residents as soon as reasonably possible. See Official Resources for the reporting link.

What Massachusetts Law Expects

Massachusetts has two primary laws that affect how businesses and individuals must handle personal information. This is general guidance only — not legal advice. Consult qualified counsel for questions about your specific situation.

201 CMR 17.00 — Written Information Security Program

This regulation requires any person or business that owns, licenses, stores, or maintains personal information about Massachusetts residents to develop, implement, and maintain a Written Information Security Program (WISP). A WISP is a documented set of security policies and procedures tailored to your organization's size and the type of information you handle.

Key requirements include: conducting a risk assessment, training employees on security policies, including data security terms in vendor contracts, and implementing technical safeguards such as encryption, access controls, and secure password policies.

Chapter 93H — Breach Notification

If a breach of security occurs involving personal information of Massachusetts residents, Chapter 93H requires that affected residents and the Office of the Attorney General be notified "as soon as reasonably possible and without unreasonable delay."

A breach under Chapter 93H means the unauthorized acquisition or use of unencrypted personal information that creates a substantial risk of identity theft or fraud. Personal information under the law means a Massachusetts resident's first name (or initial) and last name combined with one or more of: Social Security number, driver's license or state ID number, financial account number with any required access code, or biometric data.

Basic Controls That Reduce Risk

These eight controls address the most common ways small businesses and individuals are compromised. None require a large budget.

  • Multi-factor authentication (MFA). Enable MFA on every account that supports it — especially email, banking, cloud services, and remote access tools. MFA stops most credential-based attacks even when a password is stolen. An authenticator app (Google Authenticator, Authy) is more secure than SMS.
  • Password manager. Use a password manager (Bitwarden, 1Password) to generate and store a unique, complex password for every account. Reusing passwords across sites is one of the most common causes of account takeover.
  • Patch management. Apply operating system and software updates promptly, especially security patches. Many breaches exploit vulnerabilities that have had available fixes for months. Enable automatic updates where possible.
  • Endpoint protection. Run reputable antivirus or endpoint detection software on all devices used for business. Most modern operating systems include built-in options (Windows Defender, macOS XProtect) that are effective when kept updated.
  • Backups (offsite and tested). Keep regular backups of critical data in a location separate from your primary systems — offsite or in a separate cloud account. Test restores periodically. A backup you have never tested may not work when you need it.
  • Least privilege. Give employees, contractors, and systems only the access they need for their role. Limit administrator rights to those who require them. Remove access promptly when someone leaves.
  • Security awareness training. Train employees to recognize phishing emails, suspicious links, and social engineering attempts. Phishing remains the most common initial access vector for ransomware and business email compromise.
  • Vendor review. Ask vendors who handle your data about their security practices. Review contracts for data handling, breach notification, and liability terms. Under 201 CMR 17.00, your vendor agreements must include data security requirements.

Official Massachusetts Resources

These are official and primary sources. When in doubt, go directly to the source rather than a summary.

Report a Data Breach → Massachusetts Attorney General's Office portal for submitting a Chapter 93H breach notification. Start here if you need to report. AG Data Breach Guidance → Attorney General guidance on Massachusetts breach notification requirements and the reporting process. Chapter 93H — Full Text → The Massachusetts data breach notification law. Defines breach, personal information, and notification obligations. 201 CMR 17.00 — Full Text → The Massachusetts data security regulation. Sets requirements for Written Information Security Programs (WISP). OCABR → Office of Consumer Affairs and Business Regulation — oversees enforcement of 201 CMR 17.00 alongside the AG. CISA — Federal Baseline → Cybersecurity and Infrastructure Security Agency. Federal guidance, free tools, and incident reporting for critical infrastructure.

Common Questions

What counts as a breach under Massachusetts law?

Under Chapter 93H, a breach occurs when personal information is acquired or used by someone without authorization in a way that creates a substantial risk of identity theft or fraud. Personal information means a Massachusetts resident's first name (or initial) plus last name, combined with their Social Security number, driver's license or state ID number, financial account number with any required access code, or biometric data.

Who is required to report a breach?

Any person or business that owns, licenses, or maintains covered personal information about Massachusetts residents and experiences a qualifying breach must notify affected residents and the Office of the Attorney General. This applies to businesses of all sizes.

Does this apply to small businesses?

Yes. Both Chapter 93H and 201 CMR 17.00 apply to any entity that owns or licenses personal information of Massachusetts residents, regardless of company size or whether the business is located in Massachusetts. There is no small business exemption, though the WISP requirements under 201 CMR 17.00 are intended to be scaled to the size and complexity of the organization.

What if I only store customer names and email addresses?

A name alone, or a name combined only with an email address, typically does not trigger the Chapter 93H breach notification requirement, because email is not among the defined sensitive identifiers. That said, carefully review everything your organization stores — many businesses collect more than they realize. If you also store SSNs, financial data, or other defined identifiers, those records are covered.

What should I do first if I suspect an incident?

Isolate the affected device to stop the problem from spreading, then preserve evidence before making any changes. Avoid wiping or resetting the device until you understand what happened. See the Incident Checklist above for the full step-by-step sequence.

When should I call a lawyer?

Contact counsel as soon as you have reason to believe personal information of Massachusetts residents may have been accessed or acquired without authorization. Breach notification requirements have time constraints — "as soon as reasonably possible and without unreasonable delay" — and an attorney can help you determine whether Chapter 93H applies, what to include in notifications, and how to document your response.

How do I know whether a vendor was involved?

Review your vendor contracts for breach notification obligations — vendors who handle your data should be contractually required to notify you of incidents. Under 201 CMR 17.00, service providers are required to implement appropriate security measures. Contact the vendor directly and ask whether they experienced any incident affecting your data. If the vendor provides a shared service, check their status page and any communications they have issued.