Chapter 7: State Data Breach Notification, Data Security, and Data Destruction Laws

Notification: Content of the Letter

About half of states mandate specific content (incident description, approximate date, data types, steps taken, contact phone, identity-theft steps, CRA contacts, and FTC/AG contacts). Massachusetts is a key exception: it prohibits describing the nature of the breach or the number of residents affected.

A general description of the incident and an approximate date
The type of personal information subject to unauthorized access/acquisition
General acts the business took to protect the information
A telephone number and conspicuous website notice for further assistance
Steps the person may take to protect against identity theft
Toll-free numbers and addresses for the major CRAs
Contacts for the FTC and the relevant offices of attorneys general

Massachusetts contradicts the norm

While almost all states want a general description of the incident, Massachusetts prohibits including a description of the nature of the breach or the number of residents affected. A single nationwide letter template can therefore violate Massachusetts law.

← Notification: Timing to Affected Parties Notification: Free Credit Monitoring →