Massachusetts β municipal breach notification
201 CMR 17 requires a Written Information Security Program (WISP) for any entity holding MA-resident PII. Breach notification follows separately under M.G.L. c. 93H.
As soon as practicable and without unreasonable delay.
- Notification letter must NOT disclose the nature of the breach in the body sent to residents.
- WISP is required to exist before a breach β auditors and AG check for it during investigation.
What this means for a Massachusetts municipality
Small and mid-sized municipalities in Massachusetts sit at the intersection of federal frameworks (CIRCIA, HIPAA where EMS or public-health clinics are in scope, CJIS for police records) and the state breach-notification statute enforced by the MA Attorney General, MA Office of Consumer Affairs. The clock starts when your team has a reasonable belief that resident PII was acquired by an unauthorized party β not when the investigation finishes.
For a town under 100,000 residents, the practical question is rarely "do we have to notify?" β it's "what's the cleanest path that satisfies MA Attorney General, MA Office of Consumer Affairs, our cyber-insurance carrier, and our open-meeting obligations, in that order." The HackFirstAid triage walks through that decision tree; the matching playbooks include first-hour scripts that have already been screened against Massachusetts's statute.
If you're a Massachusetts clerk, CAO, IT director, or council member reading this during a live incident, open the free triage first. If you're reading it on a quiet Tuesday, it's also a tabletop exercise β most municipalities run it once before they need it, then once for real, six months later.
Tax, permits, utility billing, and court scheduling encrypted on the same morning.
Fraudulent wire instructions on a vendor payment or payroll change.
Vital records, property assessments, or business licenses exposed or altered.