Massachusetts Releases Online Reports of Data Breaches

The state Office of Consumer Affairs and Business Regulation has made public an online archive of data breach notifications affecting Massachusetts residents from 2007 through 2016.

by Susan Spencer, Telegram & Gazette, Worcester, Mass. / January 5, 2017

(TNS) -- It could be through a bank or a hospital, an accounting firm or a higher education institution. It could be in a large government agency. Pretty much anywhere personal information is collected, it could be intentionally or accidentally compromised.

On Tuesday, the state Office of Consumer Affairs and Business Regulation made public an online archive of data breach notifications affecting Massachusetts residents from 2007 through 2016.

The state's Data Breach Security Law, in effect since Oct. 31, 2007, requires businesses and others that own or license personal information of state residents to notify affected residents, the Office of Consumer Affairs and Business Regulation and the office of the attorney general when they know or have reason to know that the personal information of a resident was acquired or used by an unauthorized person, or used for an unauthorized purpose.

The updated Public Records Law signed by Gov. Charles D. Baker Jr. in June mandated agencies to post certain public records online, which agencies deemed were of significant interest, so the information can be obtained by the public and news organizations without having to file a public records request.

A look at the year-by-year data shows how widespread data breaches are.

Consumer Affairs Undersecretary John C. Chapman said the increase in the number of reported incidents since 2007 shows better compliance with the requirement to report breaches.

Year-to-year fluctuations in the number of consumers affected reflect spikes from large-scale data breaches.

But one thing the report doesn't differentiate online is whether a primary breach occurred, such as a bank's account holders' records being compromised, or whether it was a secondary breach, such as a credit card issued by a bank being compromised when used at a store.

"If they become aware of a breach, technically they're required to report it," Mr. Chapman said.

Regional banks show up extensively in the database, although Mr. Chapman stressed that this reflected their compliance with reporting requirements more than a higher frequency of breaches than national banks.

Webster Five, for example, showed more than 5,500 consumers were affected by a breach of credit or debit card information reported in March 2015, as well as several individual reports of breaches throughout the year.

In August 2016, 550 residents were affected by another credit or debit breach, which the Telegram & Gazette reported resulted from a skimming device placed on ATMS in Dudley and Webster.

The bank reimbursed customers whose debit cards were affected by the fraudulent activity, according to the news story. Credit monitoring was offered to customers as well.

A Webster Five representative did not return a call for comment Wednesday.

Mr. Chapman said, "They're doing exactly what they're supposed to do (by reporting breaches). It doesn't reflect their compliance efforts."

At the other extreme, Bank of America, a large national institution, doesn't show up in recent breach notification reports.

"We don't have any enforcement mechanism to go after them," Mr. Chapman said. "It's really self-reporting."

He added that the reporting differences between local and national businesses, and those reporting primary breaches within their institutions or secondary breaches that they become aware of, is "frankly something that needs to change at the commonwealth level."

Some national businesses do appear in the report, such as outerwear retailer Eddie Bauer, which listed 33,450 Massachusetts consumers affected by a credit and debit card breach in August 2016. Free credit monitoring was provided to affected customers.

Other large data breaches in Central Massachusetts in recent years include UMass Memorial Medical Group, which in February 2015 reported to the state 13,205 residents could have been affected after a former employee was accused of accessing thousands of patient billing records that contained credit card and debit card information.

Anna Maria College had a breach of information from records reported in February 2015, affecting 1,161 residents. College spokeswoman Kay Zimmermann said in an email: "The 2015 data breach was due to an internal user error; it was identified and rectified immediately. All who were affected were notified of the breach. New policies and security equipment since then have been implemented to protect sensitive data."

Mr. Chapman said the online archives were expected to raise awareness about data security, and his office has dedicated a full-time staff member to follow up with companies about reporting breaches.

He added that the newly released reports were meant to make it easier for consumers and businesses to use, and demonstrated "the governor's commitment to greater transparency."

"The information is better than what we had but it's not perfect," Mr. Chapman said. "I think information will get better and better as time goes on."

©2017 Telegram & Gazette, Worcester, Mass. Distributed by Tribune Content Agency, LLC.