Skip to Content
March 26, 2026 Clouds | 63°F
The 194th General Court of the Commonwealth of Massachusetts

Bill S.39 194th (Current)

An Act protecting sensitive personal information from breaches and other cybersecurity incidents

By Mr. Finegold, a petition (accompanied by bill, Senate, No. 39) of Barry R. Finegold for legislation to protect sensitive personal information from breaches and other cybersecurity incidents by creating a Massachusetts Cyber Incident Response Team. Advanced Information Technology, the Internet and Cybersecurity.

View Text Print Preview Download PDF

Bill Information

Presenter:
Barry R. Finegold

Emergency Preamble

Whereas, The deferred operation of this act would tend to defeat its purpose, which is to further regulate cybersecurity and breaches of personal information, therefore it is hereby declared to be an emergency law, necessary for the immediate preservation of the public safety.

Cybersecurity

Codifies the Massachusetts Cyber Incident Response Team (MA-CIRT) originally created by Executive Order 602, issued by Governor Baker in December 2022; establishes state-level reporting requirements for cybersecurity incidents impacting critical infrastructure which are not covered under extant federal reporting requirements; updates and expands the Commonwealth’s data security law to: (i) include more categories of sensitive personal information (including biometric, genetic, health, and specific geolocation information), (ii) clarify what activity constitutes a breach of security, and (iii) adhere to best practices regarding cybersecurity and notification. Language is excerpted from S.2539 (193rd Session), favorably reported by AITIC. SECTION 1: Adds 3 new sections to the chapter of the General Laws addressing the former Massachusetts Office of Information Technology (now, EOTSS): Section 12: For the purposes of the following sections on cyber incident response, defines terms including “Critical infrastructure” and “Cybersecurity incident.” Definitions align with the federal Cybersecurity and Infrastructure Security Agency (CISA) or the National Institute of Standards and Technology (NIST), as applicable. Section 13: Formally establishes the Massachusetts Cyber Incident Response Team (MA-CIRT), defining membership, scope, and operational structure in the event of a cybersecurity incident that threatens or materially impairs a governmental entity or other critical infrastructure. MA-CIRT is charged with the development and annual updating of a cybersecurity incident response plan. Language mirrors, within MGL drafting standards, Executive Order 602. Section 14: Requires owners and operators of critical infrastructure to provide notice and appropriate available information to the Commonwealth Fusion Center (CFC, a member of MA-CIRT) in response to a cybersecurity incident. MA-CIRT may then coordinate with the CFC on recommended response measures. Language is modeled, to the extent applicable, on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA, 6 USC 681b) SECTION 2: Amends MGL Chapter 93H (Security Breaches, hereinafter “93H”) by adding a definition of “Biometric information.” Definition is modeled on the Biometric Information Privacy Act (BIPA, 740 ILCS 14), with expansions to include newer forms of identifiable behavioral characteristics like vein and gait patterns (see: BIPA and Beyond). SECTION 3: Amends 93H by updating the definition of “Breach of security” to include any unauthorized acquisition or use of personal information that compromises the security, confidentiality, or integrity of the data, regardless of whether there is “substantial risk of identity theft or fraud” as is current. Extant language is not suitable for breaches of sensitive information like health or geolocation data, which pose significant dangers other than identity theft or fraud. SECTION 4: Amends 93H by adding definitions of “Genetic information,” “Health insurance information,” and “Medical information,” all of which will be hereinafter included as covered categories of “Personal information.” Definitions align with those adopted in other state legislation. SECTION 5. Amends 93H by expanding the definition of “Personal information” to include additional sensitive categories of information beyond financial account numbers, including those defined in Sections 2, 4 and 6. SECTION 6. Amends 93H by adding a definition of “Sensitive geolocation information.” Definition is modeled on that contained in 15 USC 9901(c)(6) (Protecting Americans’ Data from Foreign Adversaries) for “precise geolocation information”. SECTION 7. Amends 93H to require regular updates to the definitions of “Breach of security” and “Personal information” as technology progresses. SECTION 8. Amends 93H to instruct companies and government agencies to provide more straightforward and helpful information to data breach victims. Specifically, breach notices would be required to include general background about the nature of the breach and what kinds of data were exposed; in response to breaches that expose login information, entities would be required to prompt affected residents to change their password information, in line with best practices.
* The bill summary was created by the Primary Sponsor of the bill; no committee of the General Court certifies the accuracy of its contents.

The information contained in this website is for general information purposes only. The General Court provides this information as a public service and while we endeavor to keep the data accurate and current to the best of our ability, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.