We often write about issues of legal compliance and the Commonwealth’s aggressive enforcement of laws, including those aimed to protect individuals and employees.  While the facts and applicable legal requirements may differ from one case to another, the underlying theme often remains the same.  It is critical for businesses to remain up-to-speed with applicable legal requirements and comply with them.  Otherwise, employers can face potentially harsh consequences.  Another recent example has arisen in a slightly different context: cybersecurity.

In July, 2022, the Massachusetts Office of the Attorney General issued a press release announcing a settlement with an out-of-state company alleged to have violated the Massachusetts Data Breach Law and its regulations (M.G.L. c. 93H and 201 C.M.R. § 17.00, et seq.).  In short, the Data Breach Law and its regulations impose certain requirements designed to protect the “personal information” of residents of the Commonwealth.  “Personal information” is defined to include information regarding a person’s name in combination with other personal identification data, such as a social security number, driver’s license number or state-issued identification card number, or other financial account information.  Among other things, the regulations require that “[e]very person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program” (“WISP”) to protect personal information.  The Data Breach Law authorizes the Attorney General to enforce its provisions through Chapter 93A.

In this particular case, the Attorney General investigated a job placement company that connects trade workers with construction contractors.  According to a Notice of Discontinuance filed in Suffolk County Superior Court, the Attorney General alleged that:

• The company had stored personal information of employees and clients on its network;
• In December of 2020, the company realized that its network had been compromised: a third party had accessed the personal information of at least 3,036 Massachusetts residents and threatened to publicly release the information if the company did not pay a ransom;
• The company’s investigation suggested that the third party obtained the data through a “phishing” email attack and was able to transfer the data to an outside server;
• At the time of the attack, the company did not have a WISP required by 201 C.M.R. § 17.00 et seq.

In these circumstances, the Attorney General alleged that the company “failed to develop, implement, and maintain a comprehensive written information security program with appropriate safeguards to protect the sensitive personal information it owned, licensed, and/or maintained.”  The Attorney General further alleged that the company violated the Data Breach Law and its regulations, as well as Chapter 93A.

According to the Notice of Discontinuance settling the claims, the company agreed to pay $230,000.00 in penalties.  The company also agreed to institute a WISP program, provide a copy of its WISP program to the Attorney General, obtain an independent third-party report of the company’s efforts to safeguard personal information, and provide the report to the Attorney General.  The settlement included other requirements as well, including training requirements and technical requirements to ensure that its systems are protected against future cybersecurity attacks.  In her press release, the Attorney General commented that “[c]ompanies need to have the proper security measures and systems in place to keep the sensitive information safe from hackers.”

Cybersecurity has arisen as yet another area in which compliance (and vigilance) is critical.  Employers must be sure to comply with applicable legal requirements to protect sensitive data and information, including personal information. Beyond written policies and procedures, employers also need to maintain robust technical systems and safeguards to protect against data vulnerabilities and breaches.  Regular training will also help equip employees to spot suspected data attacks, rather than fall prey to them.  Insurance brokers may also provide useful advice concerning the availability and potential protections of cybersecurity insurance.  The bottom line is that, with so much information housed and transmitted electronically, it has become essential for employers to pay close attention to cybersecurity issues as a necessary part of doing business in the Commonwealth.