Massachusetts - Sectoral Privacy Overview
The Commonwealth of Massachusetts has been known as a leader and trendsetter among US states regarding privacy and data security matters. Massachusetts attracted particular attention in 2009, for example, for enacting a regulation, the Standards for the Protection of Personal Information of Residents of the Commonwealth ('the Safeguards Regulation'), under §17.00 et seq. of Title 201 of the Code of Massachusetts Regulations ('CMR'), that set forth more specific and prescriptive requirements for safeguarding personal data than other state laws typically required at the time. Massachusetts has a state chief information officer and chief information security officer pursuant to §§2 and 4 of Chapter 7D of Title II of Part I of the Massachusetts General Laws ('Mass. Gen. Laws'), which is not true of all states. Massachusetts also has a general right to privacy law, privacy laws specific to certain contexts including the employment and health sectors, and a broadly applicable consumer protection law that can apply to many practices regarding the treatment of consumer information.
The Massachusetts Constitution does not explicitly enumerate a right to privacy using the word 'privacy'. It does, however, under Article XIV of Part I, contain a provision akin to the Fourth Amendment to the U.S. Constitution, against unreasonable searches and seizures. This provision has been construed by Massachusetts courts in contexts related to the right to privacy vis-à-vis governmental actions, such as tracking of a person's movements via cell phone data (see, e.g., Commonwealth v. Estabrook, 472 Mass. 852 (2015)). Privacy rights in the context of actions by non-governmental entities are generally addressed through other laws, as described below.
2.1. Statutory right to privacy
Massachusetts has a general right to privacy law under §1B of Chapter 214 of Title I of Part III of the Mass. Gen. Laws ('the General Right to Privacy Law'), which provides that '[a] person shall have a right against unreasonable, substantial or serious interference with his privacy. The superior court shall have jurisdiction in equity to enforce such right and in connection therewith to award damages.' This brief, and broadly written law has been interpreted by Massachusetts courts over the years in a number of contexts in private lawsuits. For example, the law has been held to provide a cause of action in response to publication by a news organisation of private facts of a highly personal or intimate nature which are 'of no business of the public' (see, e.g., Cefalu v. Globe Newspaper Co., 391 NE 2d 935, 939 (Mass. App. Ct. 1979)).
2.2. Privacy torts
Massachusetts law provides for a number of causes of action for invasion of privacy and/or violation of privacy.
2.2.1. Unauthorised use of name, portrait, or picture
For example, Massachusetts law gives rights to individuals regarding unauthorised use of their images for commercial purposes. Under §3A of Chapter 214 of Title I of Part III of the Mass. Gen. Laws, 'Any person whose name, portrait or picture is used within the commonwealth for advertising purposes or for the purposes of trade without his written consent may bring a civil action in the superior court against the person so using his name, portrait or picture, to prevent and restrain the use thereof[.]'
The law does not prohibit every single use of a person's image for commercial purposes; it provides certain specific exceptions, such as for certain exhibits by photographers (Mass. Gen. Laws. ch. 214, §3A).
2.2.2. Supervisory authorities and penalties
A person harmed by such unauthorised use of the person's image may sue for damages. The statute provides that a plaintiff 'may recover damages for any injuries sustained by reason of such use', and that for 'knowing' violations of this law, the court may award the plaintiff triple the amount of the plaintiff's actual damages (Mass. Gen. Laws. ch. 214, §3A).
2.3. Interception of wire and oral communications
Massachusetts is a so-called two-party consent State. Under §99 of Chapter 272 of Title I of Part IV of the Mass. Gen. Laws on the interception of wire and oral communications, with certain exceptions, the consent of all parties to a conversation or issuance of a valid warrant is generally required before a conversation may be recorded.
2.3.1. Key definitions
Mass. Gen. Laws. ch. 272, §99(B)(2) defines 'oral communication' very broadly, to mean 'speech, except such speech as is transmitted over the public air waves by radio or other similar device'. Thus, an oral communication need not take place only by telephone, for example. Under Mass. Gen. Laws. ch. 272, §99(B)(1) 'wire communication' is defined as 'any communication made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection between the point of origin and the point of reception'.
To 'intercept' such a communication is defined as 'to secretly hear, secretly record, or aid another to secretly hear or secretly record the contents of any wire or oral communication through the use of any intercepting device by any person other than a person given prior authority by all parties to such communication' but exempts law enforcement authorities in certain specified circumstances (Mass. Gen. Laws. ch. 272, §99(B)(4)).
2.3.2. Supervisory authorities and penalties
Mass. Gen. Laws. ch. 272, §99(C) provides for potential imprisonment as well as fines, depending on the particular facts and circumstances and what part of the law is violated.
A private right of action is also provided under Mass. Gen. Laws. ch. 272, §99(Q), pursuant to which, a plaintiff may potentially recover actual damages, punitive damages, and reasonable litigation costs.
2.4. Information practices of government agencies and contractors
Massachusetts' Public Records Access Law ('the Public Records Law'), under §32.00 et seq. of Title 950 of the Mass. Code Regs., and the Fair Information Practices Act ('the Fair Information Practices Act'), under §11.00 et seq. of Title 940 of the CMR and Chapter 66A of Title X of Part I of the Mass. Gen. Laws, set limits on the sharing by Massachusetts governmental agencies of individuals' personal information and set forth obligations regarding public access to certain governmental records. An Executive Order from the Massachusetts Governor also imposes certain requirements regarding information security practices of Massachusetts agencies. These laws have relevance for private entities that are government contractors as well as the governmental entities themselves.
2.4.1. Public Records Law
The Public Records Law and implementing regulations apply to records created by or in the custody of a Massachusetts state or local agency, board, or other government entity. Every government record in Massachusetts is generally presumed by default to be public unless it is specifically exempted in some way; whether explicitly in statutory text or through a recognised legal privilege or interpretation.
Thus, as a general matter, unless the record in question is exempted (see §10 of Chapter 66 of Title X of Part I of the Mass.Gen. Laws; and §7(26) of Chapter 4 of Title I of Part I of the Mass. Gen. Laws), the law requires that public access to the record be allowed, including permitting inspection and furnishing a copy of the record, according to processes described in the law (see Mass. Gen. Laws ch. 66, §10; and §§32.06, 32.07 of the Public Records Law ). For instance, the law sets forth certain standards that a request for access must meet, such as reasonably describing the records sought, and provides that reasonable fees may be charged for copies of records (see Mass. Gen. Laws ch. 66, §10; and §§32.06, 32.07 of the Public Records Law ).
Because of this broad reach, private entities that are government contractors should be aware that proposals and bids submitted to Massachusetts agencies generally will be public records. The mere fact that a nondisclosure agreement is in place will not, in itself, serve to exempt the proposal or bid from disclosure as a public record. The law does specifically exempt proposal and bid information from disclosure during certain time periods, such as before the time for submitting bids or proposals has expired (see Mass. Gen. Laws ch. 4, §7(26)(h)).
2.4.2. Key definitions
The concept of 'public records' is broadly defined. Under the general statutory definition applicable to this law, 'public records' generally encompasses 'all books, papers, maps, photographs, recorded tapes, financial statements, statistical tabulations, or other documentary materials or data, regardless of physical form or characteristics, made or received by any officer or employee of any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or of any political subdivision thereof, or of any authority established by the general court to serve a public purpose, or any person, corporation, association, partnership or other legal entity which receives or expends public funds for the payment or administration of pensions for any current or former employees of the commonwealth or any political subdivision' unless such materials or data fall within certain specified exemptions as specified under Mass. Gen. Laws ch. 4, §7(26).
Similarly, under the Public Records Law's implementing regulations, 'public record' is defined as '[a]ll books, papers, maps, photographs, recorded tapes, financial statements, statistical tabulations, or other documentary materials or data, regardless of physical form or characteristics, made or received by a governmental entity' unless such materials or data fall within an applicable statutory exemption or legal privilege (§32.02 of the Public Records Law).
The numerous exemptions include personnel and medical files and information relating to a specifically named individual where the disclosure of that information 'may constitute an unwarranted invasion of personal privacy' as specified under Mass. Gen. Laws ch. 4, §7(26).
2.4.3. Supervisory authorities and penalties
The Public Records Law sets forth a process for determining whether a violation of the law has occurred, and remedies for violations (see Mass. Gen. Laws ch. 66, §10; and §§32.08, 32.09 of the Public Records Law). The Massachusetts Attorney General ('AG') has broad authority to take actions to compel compliance, and the superior court has jurisdiction to 'determine the propriety of any agency or municipal action de novo' and can award reasonable attorney fees and costs to the prevailing requester as provided for under Mass. Gen. Laws ch. 66, §10A. Further, any public officer who refuses or neglects to perform any duty required of him by this law can be assessed a fine (Mass. Gen. Laws ch. 66, §15).
2.5. Fair Information Practices Act
Under the Fair Information Practices Act, each Massachusetts executive government agency, or other 'holder' as defined in the law, that maintains 'personal data', as defined in the law, must implement and observe certain 'fair information practices' regarding such data (Mass. Gen. Laws ch. 66A). The Fair Information Practices Act directs each executive office and certain other governmental units to issue regulations implementing the provisions of the same for their respective departments (Mass. Gen. Laws ch. 66A, §3)1.
The Fair Information Practices Act imposes numerous obligations on every 'holder' maintaining personal data. It is important to note that a 'holder' can include a private, non-governmental entity that is a contractor of a governmental entity covered by this law. The wide variety of obligations include, for instance (Mass. Gen. Laws ch. 66A, §2):
- designating an individual responsible for overseeing the personal data and compliance with the statute;
- informing relevant employees of applicable data protection requirements to be followed;
- refraining from collecting or maintaining more personal data than are reasonably necessary for the performance of the holder's statutory functions;
- preventing unauthorised access to personal data;
- maintaining records of access to personal data;
- taking reasonable precautions to safeguard personal data from physical threats;
- making available to subjects of personal data certain information relating to that personal data, including its existence, collection, and use;
- maintaining personal data 'with such accuracy, completeness, timeliness, pertinence and relevance as is necessary to assure fair determination of a data subject's qualifications, character, rights, opportunities, or benefits when such determinations are based upon such data'; and
- permitting correction and amendment of personal data in certain cases.
2.5.1. Key definitions
Numerous definitions under the Fair Information Practices Act are relevant to determining exactly who and what is covered by the same. It is particularly important to note that the Fair Information Practices Act can extend to private entities in some cases, where such entities are contractors to government agencies.
The Fair Information Practices Act defines 'agency' to mean 'any agency of the executive branch of the government, including but not limited to any constitutional or other office, executive office, department, division, bureau, board, commission or committee thereof; or any authority created by the general court to serve a public purpose, having either statewide or local jurisdiction'.
For private entities, it is important to note the Fair Information Practices Act's definition of 'holder', which can cover private contractors to agencies as well as the agencies themselves. Namely, a 'holder' is 'an agency which collects, uses, maintains or disseminates personal data or any person or entity which contracts or has an arrangement with an agency whereby it holds personal data as part or as a result of performing a governmental or public function or purpose. A holder which is not an agency is a holder, and subject to the provisions of this chapter, only with respect to personal data so held under contract or arrangement with an agency'.
The Fair Information Practices Act also defines 'personal data' broadly, to generally include 'any information concerning an individual which, because of name, identifying number, mark or description can be readily associated with a particular individual', with exclusions such as certain records pertaining to criminal offenders, which are covered by other provisions of law (Mass. Gen. Laws ch. 66A, §1).
2.5.2. Supervisory authority and penalties
As noted above, every 'holder' of personal data must maintain procedures that allow individuals to contest the 'accuracy, completeness, pertinence, timeliness, relevance or dissemination' of their personal data or the denial of access to such data maintained in the holder's personal data system and to have personal data corrected or amended under certain circumstances (Mass. Gen. Laws ch. 66A, §2(j)).
Any 'holder' who violates any provision of the Fair Information Practices Act can be liable to any individual suffering any damage as a result, in the amount of any damages sustained as well as 'exemplary damages' of at least one hundred dollars per violation, as well as reasonable costs and reasonable attorney's fees' (Mass. Gen. Laws ch. 214, §3B).
2.6. The Safeguards Regulation
Massachusetts has a number of laws relating to cybersecurity and other data security matters. For example, the Fair Information Practices Act requires Massachusetts government agencies and, potentially, private entities under contract to those agencies, to implement certain processes and practices regarding data security, including implementing a written information security program ('WISP') (Mass. Gen. Laws ch. 66A).
The centerpiece of Massachusetts' data security regime is the Safeguards Regulation, setting forth specific requirements for safeguarding personal data of Massachusetts residents, including requiring encryption of data in certain circumstances.
The Safeguards Regulation is not specific to any one business sector. Nor is its application limited to businesses based in Massachusetts or doing business in Massachusetts. Rather, it generally applies to 'persons who own or license personal information about a resident of the Commonwealth [of Massachusetts]' and broadly applies to covered information 'in both paper and electronic records' (§17.01(1) of the Safeguards Regulation).
When Massachusetts issued the Safeguards Regulation in 2009, it was the first US state to impose such granular data security obligations. Since then, other states have enacted data security laws, but Massachusetts' approach still contrasts with states whose laws impose only more general requirements to have 'reasonable' security procedures and practices2 and with numerous other states that do not have specific data security laws at all other than in connection with data breach provisions.
In addition to the Safeguards Regulation, there are other Massachusetts laws that could be relevant in the data protection context. In particular, Chapter 93A of Title XV of Part I of the Mass. Gen. Laws ('the Consumer Protection Law') broadly prohibits 'unfair or deceptive practices', and allows both the AG and individuals to bring actions alleging violations of this law. While it is not specific to data protection practices, it could be used to bring actions where consumers have been harmed due to unfair or deceptive practices involving treatment of their personal information.
2.6.1. Purpose and scope
The Safeguards Regulation establishes minimum standards for the safeguarding of personal information, and applies to such information in paper and electronic form. The stated goals of this regulation are to ensure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information, and protect against unauthorised access to or use of such information that may result in substantial harm or inconvenience to any consumer (§17.01 of the Safeguards Regulation).
The Safeguards Regulation applies very broadly, across industries and to individuals as well as companies. It applies 'to all persons that own or license personal information about a resident of the Commonwealth' (§17.01(2) of the Safeguards Regulation).
2.6.2. Key requirements
The first set of substantive requirements under the Safeguards Regulation are set forth in §17.03, Duty to Protect and Standards for Protecting Personal Information, which centers on the need to develop, implement, and maintain a comprehensive WISP, and specifies components that must be included in the WISP. The requirement to maintain a WISP applies very broadly, to every person, including an individual, that owns or licenses personal information about a resident of Massachusetts (§17.03(1) of the Safeguards Regulation).
The WISP is the organising document or programme that sets forth the administrative, technical, and physical safeguards that the individual or company will use to protect personal information, typically incorporating specific policies and procedures to deploy these safeguards. The safeguards must be appropriately tailored, taking into account factors such as the size, scope and type of business handling the data, and the amount of stored data. The safeguards also must be consistent with any requirements for data protection imposed by any US state or federal regulations applicable to the person or entity (§17.03(1) of the Safeguards Regulation). In the case of financial institutions, for example, the safeguards would need to be consistent with the requirements imposed by federal laws and regulations such as the Gramm-Leach-Bliley Act of 1999 ('GLBA') and the Fair Credit Reporting Act of 1970 ('FCRA') laws and regulations.
The Safeguards Regulation states that the WISP must incorporate certain components, such as the designation one or more employees to maintain the WISP and oversight of service providers. It must also allow the entity to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing personal information, and evaluate and improve, where necessary, the effectiveness of the current safeguards. It must also, for instance, provide for employee training and oversight to ensure employee compliance with the WISP and associated policies and procedures (§17.03 of the Safeguards Regulation).
The Safeguards Regulation also sets forth specific requirements for the computer system security requirements that must be integrated into the WISP where the person maintaining the WISP electronically stores or transmits personal information of Massachusetts residents. These requirements are found in §17.04 of the Safeguards Regulation, which provides that, among other requirements, the WISP must include secure user authentication protocols such as control of user IDs and other identifiers, and provisions covering passwords. Notably, the WISP must also provide for encryption of all personal information stored on laptops or other portable devices (§17.04(5) of the Safeguards Regulation). For files containing personal information on a system that is connected to the internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information (§17.04(6) of the Safeguards Regulation).
Encryption of data in compliance with these provisions also offers the prospect of excusing the entity from certain obligations under Massachusetts' data breach notification law, §1 et seq. of Chapter 93H of Title XV of Part I of the Mass. Gen. Laws. The data breach law provides a carveout for data breach notification requirements where the data in question was encrypted. Specifically, the law's definition of 'breach of security' under Mass. Gen. Laws ch. 93H, §1(a) includes the unauthorised acquisition or unauthorised use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information. Therefore, if the data involved in the incident in question were encrypted at the time of the incident and the key or process used to decrypt the data was not also acquired or used in the incident, the incident is not a 'breach of security' triggering the attendant notification requirements under that law.
2.6.3. Key definitions
The Safeguards Regulation's most significant definition is that of 'personal information', as that definition determines what information will be subject to its requirements.
The Safeguards Regulation defines 'personal information' to mean a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident (§17.02 of the Safeguards Regulation):
- social security number;
- driver's license number or state-issued identification card number; or
- financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that 'personal information' shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
2.6.4. Supervisory authorities and penalties
Massachusetts has required compliance with the Safeguards Regulation since 1 March 20103. The Safeguards Regulation is enforced by the AG. To date, the AG has focused its enforcement actions on Massachusetts-based businesses, and on businesses that have experienced data breaches. However, it should be kept in mind that whether the regulation has been violated does not depend on whether a breach has occurred. In practical terms, it is intuitive that the AG would focus its limited resources on entities in Massachusetts, which are more likely to have the information of numerous Massachusetts residents, and on situations where a breach has occurred, not only because harm is likelier to have occurred when a breach occurs but also because it may be difficult to know about the data security compliance practices of businesses otherwise, especially for entities that are not examined on a regular basis. However, in an action against Women and Infants' Hospital of Rhode Island, based outside Massachusetts, involving a data breach that compromised the data of numerous Massachusetts residents, the AG cited violations of the data security regulations as well as of the Consumer Protection Law. That case also involved a data breach.
The Safeguards Regulation does not provide an explicit private right of action, but individuals may bring actions under the Consumer Protection Law, as discussed elsewhere.
Massachusetts law contains a number of privacy related provisions that relate directly to the healthcare sector, including laws facilitating patients' access to their records and providing for confidentiality of certain health related information. Some of these protections are set forth in a patient 'bill of rights' under §70E of Chapter 111 of Title XVI of Part I of the Mass. Gen. Laws ('the Patient Bill of Rights'). More broadly applicable Massachusetts laws can also provide consumer protections, and impose obligations, regarding health-related data. For instance, the General Right to Privacy Law has been interpreted to mean that disclosure of confidential medical information, in violation of a professional duty, can constitute an actionable tort, or an invasion of privacy actionable under §1B of Chapter 214 of Title I of Part III of the Mass. Gen. Laws.5 Moreover, where a Massachusetts governmental agency is maintaining health related personal data about an individual, the Fair Information Practices Act requirements would impose obligations regarding matters such as notification to the individual and the individual's rights to access the data (see e.g., Mass. Gen. Laws ch. 66A, §2(i)). As with other types of personal information held by governmental agencies, these requirements can also impact private entities acting as contractors to such governmental agencies.
3.1. The Patient Bill of Rights
The Patient Bill of Rights provides a series of rights for patients or residents of a 'facility', defined broadly to include hospitals and nursing homes subject to licensing by the Massachusetts Department of Public Health, as well as an array of other entities, both public and private (see also §1 of Chapter 111 of Title XVI of Part I of the Mass. Gen. Laws). These rights include the right 'to privacy during medical treatment or other rendering of care within the capacity of the facility' (§70E(j) of the Patient Bill of Rights); the Patient Bill of Rights then restates this right, stating that 'every patient or resident of a facility shall be provided by the physician in the facility' that same right to privacy.
3.2. Patients' access to their own records
Massachusetts imposes a number of recordkeeping requirements on entities in the healthcare sector such as hospitals and clinics (see e.g. Mass. Gen. Laws ch. 111, §70), and also provides individuals and their legal representatives with rights to access their own medical and health records.
For example, patients and residents of '[h]ospitals or clinics subject to licensure by the department of public health or supported in whole or in part by the commonwealth' have the right to inspect their own medical records upon request and to receive copies of those records pursuant to a process described in the law, which allows for requirement of reasonable fees for copying (see Mass. Gen. Laws ch. 111, §70; and §27.16 of Section 27 of Title 104 of the CMR).
A health care provider who maintains records for a patient treated or examined by such provider also must permit the patient or the patient's authorised representative to inspect those records and provide the ability to receive a copy. In the case of a psychotherapist, the psychotherapist has some flexibility to provide a summary of the record rather than the entire record, if in the reasonable exercise of the psychotherapist's professional judgement, providing the entire record would adversely affect the patient's well-being (§12CC of Chapter 112 of Title XVI of Part I of the Mass. Gen. Laws).
In the employment context, '[a]ny employer requiring a physical examination of an employee shall, upon request, cause said person to be furnished with a copy of the medical report following the said examination' (§19A of Chapter 149 of Title XXI of Part I of the Mass. Gen. Laws).
Patients also specifically have rights to 'electronic access' to their health records (§6 of Chapter 118I of Title XVII of Part I of the Mass. Gen. Laws).
3.3. Restrictions on disclosure of health information
The Massachusetts Supreme Judicial Court has stated that there is 'a strong public policy in Massachusetts that favors confidentiality as to medical data about a person's body'4. Consistent with that approach, Massachusetts law restricts the release and use of medical or health information in numerous contexts.
Statutory and regulatory restrictions on disclosure include those pertaining to data regarding genetic information and testing; 'venereal diseases'; testing for the human immunodeficiency virus ('HIV'); drug addiction treatment; and treatment for alcohol addiction (Mass. Gen. Laws ch. 111, §§70G, 119, 70F, 18(a) and 11 respectively). Massachusetts case law also recognises physicians' obligations to restrict disclosure of patient health information to third parties without patient consent.5
There are also certain statutory privileges from disclosure in litigation and other contexts that apply to certain communications between a patient and providers such as social workers (Mass. Gen. Laws ch. 112, §§135, 135A, 135B), psychotherapists (§20B of Chapter 233 of Title II of Part III of the Mass. Gen. Laws), psychologists (Mass. Gen. Laws ch. 112, §129A), sexual assault counselors and domestic violence counsellors (Mass. Gen. Laws ch. 233, §§20J and 20K respectively).
There are also certain exceptions to confidentiality requirements. For instance, under certain circumstances, entities and persons such as hospitals, physicians, dentists, and/or caregivers are required to report instances of suspected or confirmed abuse or medical incidents to certain governmental agencies or entities. These include instances of child abuse (§51A of Chapter 119 of Title XVII of Part I of the Mass. Gen. Laws), abuse of disabled persons (§§1 and 10 of Chapter 19C of Title II of Part I of the Mass. Gen. Laws), elder abuse (§15 of Chapter 19A of Title II of Part I of the Mass. Gen. Laws), and abuse in certain care facilities (Mass. Gen. Laws ch. 111, §72G). Providers also must report certain illnesses and incidents, such as diseases of the eyes of infants, which must be reported to the board of health of the town where the infant is located (Mass. Gen. Laws ch. 111, §110), gunshots, and certain knife wounds or burns (Mass. Gen. Laws ch. 112, §12A), dog bites (Mass. Gen. Laws ch. 112, §12Z), lead poisoning (Mass. Gen. Laws ch. 111, §191), and treatment of victims of rape or sexual assault, which must be reported to the police and 'the department of criminal justice information services' where the rape or sexual assault occurred, and 'shall describe the general area where the attack occurred', but 'shall not include the victim's name, address, or any other identifying information' (Mass. Gen. Laws ch. 112, §12A1/2). There are also requirements for any person to report certain deaths to the medical examiner (§3 of Chapter 38 of Title VI of Part I of the Mass. Gen. Laws).
Massachusetts does not have a data protection law specific to financial information, but financial information is not excluded from a number of other broadly applicable laws and regulations, such as the Safeguards Regulation. The Safeguards Regulation applies to financial institutions as well as to other types of entities that handle personal information of Massachusetts residents, and imposes many requirements aimed at ensuring that such information is sufficiently protected.
Massachusetts has a number of laws that can be relevant to the treatment of individuals' data in an employment context, including with regard to employees' right to inspect their own personnel records and records from mandated physical exams, and limits on employers' ability to require and/or consider information such as criminal background information. Other laws of general applicability also extend protections to employees, and, thus, obligations on employers, such as the general privacy statute and the safeguards regulation, which imposes obligations on persons, including employers, who maintain personal data of Massachusetts residents, including employees.6
5.1. Employee rights to access their own records
Individual employees have certain rights in Massachusetts to access, and correct, their own employment-related records as provided under §52C of Chapter 149 of Title XXI of Part I of the Mass. Gen. Laws. Under this Section, employers are required to provide employees with notification regarding information in their personnel records, such as placing negative information in those records, which also triggers a requirement to allow the employee to review the information in those personnel records.
5.1.1. Key definitions
Mass. Gen. Laws ch. 149, §52C defines 'employee' as 'a person currently employed or formerly employed by an employer' but excludes tenure-track positions at private universities.
An 'employer' is broadly defined as 'an individual, corporation, partnership, labour organisation, unincorporated association or any other legal business, public or private, or commercial entity including agents of the employer' (Mass. Gen. Laws ch. 149, §52C).
'Personnel record' is generally defined as 'a record kept by an employer that identifies an employee, to the extent that the record is used or has been used, or may affect or be used relative to that employee's qualifications for employment, promotion, transfer, additional compensation or disciplinary action' (Mass. Gen. Laws ch. 149, §52C).
The law goes on to specify that certain written information or documents, to the extent prepared by an employer of 20 or more employees, regarding an employee are considered to be part of the personnel record for that employee. These are (Mass. Gen. Laws ch. 149, §52C):
- the employee's name, address, date of birth, job title and description;
- rate of pay and any other compensation paid to the employee;
- starting date of employment;
- the job application of the employee;
- resumes or other forms of employment inquiry submitted to the employer in response to their advertisement by the employee; and
- all employee performance evaluations, including but not limited to, employee evaluation documents, written warnings of substandard performance, lists of probationary periods, waivers signed by the employee, copies of dated termination notices, any other documents relating to disciplinary action regarding the employee.
Mass. Gen. Laws ch. 149, §52C also specifies that 'personnel record' does not include 'information of a personal nature about a person other than the employee if disclosure of the information would constitute a clearly unwarranted invasion of such other person's privacy'.
5.1.2. Supervisory authorities and penalties
Mass. Gen. Laws ch. 149, §52C may be enforced by the AG, who may impose fines in response to violations.
5.2. Restrictions on disclosure of records
The Public Records Law exempts certain employment-related information from disclosure, including personnel files (Mass. Gen. Laws ch. 4, §7(26)(c)).
5.3. Restrictions on background checks and other information in connection with applications
5.3.1. Lie detector tests
Massachusetts prohibits the use of a 'lie detector test' in connection with job applications or employment (§19B of Chapter 149 of Title XXI of Part I of the Mass. Gen. Laws). It also requires that applications for employment within Massachusetts contain the following notice 'in clearly legible print: It is unlawful in Massachusetts to require or administer a lie detector test as a condition of employment or continued employment. An employer who violates this law shall be subject to criminal penalties and civil liability' (Mass. Gen. Laws ch. 149, §19B(2)(b)).
188.8.131.52. Key definitions
'Lie detector test' is defined as 'any test utilising a polygraph or any other device, mechanism, instrument or written examination, which is operated, or the results of which are used or interpreted by an examiner for the purpose of purporting to assist in or enable the detection of deception, the verification of truthfulness, or the rendering of a diagnostic opinion regarding the honesty of an individual' (Mass. Gen. Laws ch. 149, §19B(1)).
184.108.40.206. Supervisory authorities and penalties
Mass. Gen. Laws ch. 149, §19B(3) provides for criminal penalties, including imprisonment and fines. There is also a private right of action under Mass. Gen. Laws ch. 149, §19B(4) which allows for the potential collection of costs and attorney fees as well as damages. Mass. Gen. Laws ch. 149, §19B(3) also provides that a waiver of the provisions of the law by an employee or prospective employee cannot serve as a defence to a prosecution or lawsuit under the law.
5.3.2. Restrictions on requiring and/or using certain information in connection with applications and employment
Massachusetts restricts the ability of employers to require certain types of information from or about individuals in connection with employment, such as certain health information. For example, under Mass. Gen. Laws ch. 111, §70F, 'no employer shall require HIV antibody or antigen tests as a condition for employment.'
Massachusetts was also one of the first US states to enact a so-called 'ban the box' law, restricting the ability of employers to inquire about a job applicant's criminal history. The name derives from the practice of requiring applicants to tick a box indicating whether they have certain criminal history, such as arrests and/or convictions.
Under current law, Massachusetts prohibits a 'covered employer' from making certain inquiries about job applicants' and employees' criminal record information, subject to limited exceptions (§4(9), (9 1/2) of Chapter 151B of Title XXI of Part I of the Mass. Gen. Laws. See also, e.g., criminal offender checks under §15.00 of Title 101 of the CMR on Health and Human Services). Further, it gives protections to persons that withhold such information from being considered guilty of perjury or giving a false statement because of that withholding (Mass. Gen. Laws ch. 151B, §4(9)).
The law also generally prohibits an employer from refusing to hire or employ a person because of that person's failure to provide information regarding admission to a facility for the care and treatment of mentally ill persons, provided that the person has been discharged from such facility and can prove, by a psychiatrist's certificate, mental competence to perform the job in question. The law also places restrictions on inquiring, through employment applications, about the applicant's admission to a facility for mentally ill persons (Mass. Gen. Laws ch. 151B, §4(9A)).
220.127.116.11. Supervisory authorities and penalties
Violations of the law can potentially be sanctioned by criminal fines and/or imprisonment, depending on the facts and circumstances (§178 of Chapter 6 of Title II of Part I of the Mass. Gen. Laws). An 'aggrieved person' may also bring a civil action for damages and may in some situations recover reasonable fees and costs (Mass. Gen. Laws ch. 6, §177).
18.104.22.168. Key definitions
The law sets forth several exclusions from the definition of a covered 'employer', such as certain non-profit social and fraternal organisations (Mass. Gen. Laws ch. 151B, §1(5)).
Massachusetts does not currently have laws specifically covering online privacy, children's data, or behavioural advertising. However, other laws, particularly the General Right to Privacy Law and/or the Consumer Protection Law, may be applicable to such activities, depending on the facts and circumstances.
Massachusetts does not currently have laws specifically addressing this subject matter.
Massachusetts law does not contain overarching requirements that dictate the content or form of all privacy policies or notices as a general matter. However, individual laws may contain requirements for privacy policies and disclosures, such as notices of privacy practices provided by specific entities (see 104 CMR §27.16(5)). For example, employment related disclosures should contain any required language, as applicable, regarding the restrictions on the use of lie detectors and criminal background information.
9.1. Disposition and destruction of records
Chapter 93I of Title XV of Part I of the Mass. Gen. Laws ('the Data Disposal Law') sets forth requirements for the appropriate disposal of records containing personal information.
9.2. Purpose and scope
The Data Disposal Law applies to both governmental agencies and private companies and individuals; it covers each 'agency' or 'person' who handles 'personal information' of Massachusetts residents, as defined in §§1 and 2 of the Data Disposal Law.
9.3. Key requirements
The Data Disposal Law sets forth, under §2 of the Data Disposal Law, the following minimum standards for proper disposal of records containing personal information. First, paper documents containing personal information must be either redacted, burned, pulverised or shredded so that personal data cannot practicably be read or reconstructed; and second, electronic media and other non-paper media containing personal information must be destroyed or erased so that personal information cannot practicably be read or reconstructed.
The law also specifically addresses situations where a covered agency or person contracts with a third-party service provider to dispose of personal information. Specifically, §2 of the Data Disposal Law requires that any such service provider must implement and monitor compliance with policies and procedures that prohibit unauthorised access to or acquisition of or use of personal information during the collection, transportation, and disposal of personal information.
9.4. Key definitions
§1 of the Data Disposal Law defines personal information as a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements:
- social security number;
- driver's license number or Massachusetts identification card number;
- financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password that would permit access to a resident's financial account; or
- a biometric indicator.
The Data Disposal Law defines 'personal information' slightly differently from some other laws addressing personal information. In particular, the Data Disposal Law specifically names biometric information (not further defined in the statute itself, but commonly including information such as fingerprints) in its definition of 'personal information', while other laws and regulations do not (although the Safeguards Regulation's definition of personal information is otherwise nearly identical to that of the Data Disposal Law).
9.5. Supervisory authorities and penalties
Violations of the Data Disposal Law can result in civil fines brought by the AG (§3 of the Data Disposal Law).
10.1. Consumer Protection Law
The Consumer Protection Law, broadly prohibits 'unfair or deceptive practices'. While it is not specific to the data protection space, it can be used to bring actions where consumers have been harmed due to unfair and/or deceptive practices involving treatment of their personal information. As discussed, the Data Disposal Law provides that the AG may enforce the same under the Consumer Protection Law.7
10.1.2. Case law
The AG has used the Consumer Protection Law in the data protection context, including an action taken before the effective date of the Safeguards Regulation against the Briar Group, an owner of restaurants that experienced a data breach in April 2009. Malicious code that was installed on the Briar Group's computer systems allowed hackers access to customers' credit and debit card information, including names and account numbers. Even though this code was not removed from the computers until December 2009, the AG stated that Briar Group, knowing of the data breach, continued to accept credit and debit cards from consumers. The AG further alleged that the Briar Group failed to change default usernames and passwords on its point-of-sale computer system; allowed multiple employees to share commons usernames and passwords; and failed to properly secure its remote access utilities and wireless networks.
Under the terms of a settlement between the AG and the Briar Group, all restaurants in the Briar Group chain were required to, among other things, implement data security measures to comply with the Safeguards Regulation, even though, at the time of the activity in question, it was not yet effective and thus the action did not charge violations of the Safeguards Regulation. The AG pointed out in its press release, 'Although the data breach occurred prior to the effective date of the Safeguards Regulations, the data security standards set forth in the regulations were used in the settlement.'
10.1.3. Supervisory authorities and penalties
§4 of the Consumer Protection Law allows the AG to bring actions alleging violations, and to pursue fines and injunctive relief. It also provides a private right of action for consumers and businesses under §9 and 11 of the Consumer Protection Law respectively.
If a consumer believes an entity has violated the Consumer Protection Law, they may sue the business under the same, although the plaintiff must demonstrate that the activity in question resulted in a 'loss of money or property, real or personal' to that plaintiff pursuant to §11 of the Consumer Protection Law.
1. See e.g., §11.00 of Title 940 of the CMR (Attorney General and Department of the Attorney General), §33.00 of Title 950 of the CMR (State Secretary's Office); §2.00 of Title 960 of the CMR (State Treasurer's Office).
2. §501.171 of Title XXXIII of the 2018 Florida Statutes.
3. §17.05 of the Safeguards Regulation, 'Every person who owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with [the Safeguards Regulation] on or before 1 March 2010.' As noted above, the Safeguards Regulation also provided a grace period for the provision in §17.03(2)(f)(2) of the Safeguards Regulation regarding contractual provisions with third-party service providers until 1 March 2012 for contracts entered into before 1 March 2010.
4. Globe Newspaper Co. v. Chief Med. Examiner, 404 Mass. 132, 135 (1989).
5. See e.g., Alberts v. Devine, 395 Mass. 59 (1985).
6. The personal data of employees of Massachusetts governmental entities are also safeguarded pursuant to those entities' own WISPs and associated protocols. See e.g., Safeguard of Personal Information §27.00 of Title 940 of the CMR (implementing WISP that protects AG employee data).
7. §3 of the Data Disposal Law, 'The AG may bring an action pursuant to §4 of Chapter 93A against a person or otherwise to remedy violations of this chapter and for other relief that may be appropriate.'