Massachusetts Data Breaches: 1 in 3 Affected Since 2010.

Massachusetts passed a data security law in 2007 (and went into effect in 2010).  One of the strictest state data security laws, if not the strictest, it had a number of requirements, including advising the state Attorney General of any data breaches involving Massachusetts residents.  Today, the AG’s office released statistics collected over the past twenty months: one in three were affected by a data breach.  Stories covering the announcement fail to point it out, but the use of data encryption is a guaranteed way to not become part of that statistic.


According to the reports, over two million Mass residents were affected by at least one data breach.  That’s nearly one in three residents.  The type of information involved was far-ranging, from names to medical histories to financial information.

  • 1,166 data breaches were reported

  • 54% attributed to hacking, merchant breaches, and theft

  • Almost 500 breaches from financial institutions (42%)

  • 82% of breaches fewer than 100 people

  • 30% of breaches involved one person

  • 16 breaches involved 10,000+ residents

  • 23% of breaches involved human error (e.g., wrong recipients for emails and faxes)

  • 25% involve deliberate hacking of computers with sensitive data

  • 15% involves theft of credit cards from retailers

I haven’t seen any statistics on what percentage of the breaches involved the loss or theft of laptops and other portable data storage systems, but I’m very interested in them.

A Couple of Requirements

Why this interest in laptops?  One of the requirements under Mass General Law 93 is for data on such devices to be protected with encryption software such as AlertBoot endpoint security.

Remember, that’s a requirement, not a suggestion (such as, say, under HIPAA).  I’ve wondered what percentage of companies would actually comply with that aspect of the law (although, to be relatively certain, audits based on random samples would have to be conducted).

Another requirement under the law is that strong encryption must be used, so something like AES-128 or higher is currently required under the MA data breach law.  Conceivably, if a company encrypts customer data with something weaker and a device gets stolen, they’d have to report the incident to the AG’s office.  (I’d like to take a gander at such stats as well).

Related Articles and Sites:

Comments (0)

Let us know what you think