MA
Massachusetts Senate Bill S39

Massachusetts 2025-2026 Regular Session

Massachusetts Senate Bill S39 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11 1 of 1
22 SENATE DOCKET, NO. 2333 FILED ON: 1/17/2025
33 SENATE . . . . . . . . . . . . . . No. 39
44 The Commonwealth of Massachusetts
55 _________________
66 PRESENTED BY:
77 Barry R. Finegold
88 _________________
99 To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General
1010 Court assembled:
1111 The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill:
1212 An Act protecting sensitive personal information from breaches and other cybersecurity
1313 incidents.
1414 _______________
1515 PETITION OF:
1616 NAME:DISTRICT/ADDRESS :Barry R. FinegoldSecond Essex and Middlesex 1 of 16
1717 SENATE DOCKET, NO. 2333 FILED ON: 1/17/2025
1818 SENATE . . . . . . . . . . . . . . No. 39
1919 By Mr. Finegold, a petition (accompanied by bill, Senate, No. 39) of Barry R. Finegold for
2020 legislation to protect sensitive personal information from breaches and other cybersecurity
2121 incidents by creating a Massachusetts Cyber Incident Response Team. Advanced Information
2222 Technology, the Internet and Cybersecurity.
2323 [SIMILAR MATTER FILED IN PREVIOUS SESSION
2424 SEE SENATE, NO. 2539 OF 2023-2024.]
2525 The Commonwealth of Massachusetts
2626 _______________
2727 In the One Hundred and Ninety-Fourth General Court
2828 (2025-2026)
2929 _______________
3030 An Act protecting sensitive personal information from breaches and other cybersecurity
3131 incidents.
3232 Whereas, The deferred operation of this act would tend to defeat its purpose, which is to
3333 further regulate cybersecurity and breaches of personal information, therefore it is hereby
3434 declared to be an emergency law, necessary for the immediate preservation of the public safety.
3535 Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority
3636 of the same, as follows:
3737 1 SECTION 1. Chapter 7D of the General Laws is hereby amended by adding the
3838 2following new sections:-
3939 3 Section 12. Definitions
4040 4 As used in this section, and sections 13 and 14, the following words shall have the
4141 5following meanings, unless the context clearly requires otherwise: 2 of 16
4242 6 “Critical infrastructure”, the assets, systems and networks, either physical or virtual,
4343 7within the commonwealth that are so vital to the commonwealth or the United States that the
4444 8incapacitation or destruction of such a system or asset would have a debilitating impact on
4545 9physical security, economic security, public health or safety or any combination thereof;
4646 10provided, however, that “critical infrastructure” shall include, but not be limited to, election
4747 11systems, transportation infrastructure, water, gas and electric utilities and shall include any
4848 12critical infrastructure sectors as identified by: (1) Presidential Policy Directive-21 or a successor
4949 13directive; or (2) the Cybersecurity and Infrastructure Security Agency.
5050 14 “Cybersecurity incident”, an event occurring on or conducted through a computer
5151 15network that actually or imminently jeopardizes the integrity, confidentiality or availability of
5252 16computers, information or communications systems or networks, physical or virtual
5353 17infrastructure controlled by computers or information systems or information resident thereon;
5454 18provided, however, that a cybersecurity incident may include a vulnerability in an information
5555 19system, system security procedures, internal controls or implementation that could be exploited
5656 20by a threat source.
5757 21 “Cybersecurity threat”, any circumstance or event with the potential to adversely impact
5858 22organizational operations, including mission, functions, image or reputation, organizational
5959 23assets or individuals through an information system via unauthorized access, destruction,
6060 24disclosure, modification of information, denial of service or any combination thereof; provided,
6161 25however, that the term “cybersecurity threat” shall also include the potential for a threat source to
6262 26successfully exploit a particular information system vulnerability.. 3 of 16
6363 27 “Governmental entity”, any department of state, county or local government including
6464 28the executive, legislative or judicial, and all councils thereof and thereunder, any division, board,
6565 29bureau, commission, institution, tribunal or other instrumentality within such department or any
6666 30independent state, county or local authority, district, commission, instrumentality or agency.
6767 31 “Response team”, the Massachusetts Cyber Incident Response Team established pursuant
6868 32to section 13.
6969 33 Section 13. Massachusetts Cyber Incident Response Team.
7070 34 (a) There shall be established a Massachusetts Cyber Incident Response Team, which
7171 35shall serve as a standing subcommittee of the office, the mission of which is to enhance the
7272 36commonwealth’s ability to prepare for, respond to, mitigate against and recover from significant
7373 37cybersecurity incidents.
7474 38 (b) The response team shall consist of: the secretary of technology services and security
7575 39or their designee, who shall serve as chair; a representative of the commonwealth security
7676 40operations center as designated by the director of security operations; the secretary of public
7777 41safety and security or their designee; a representative of the state police cyber crime unit; a
7878 42representative of the commonwealth fusion center; the adjutant general of the Massachusetts
7979 43National Guard or their designee; the director of the Massachusetts emergency management
8080 44agency or their designee; the comptroller or their designee; and any other state or local officials
8181 45as assigned by the chair. The chair shall designate a member of the response team to act as a
8282 46liaison with federal agencies.
8383 47 (c) The response team shall review cybersecurity threat information, including intrusion
8484 48methods, common techniques and known vulnerabilities, to make informed recommendations 4 of 16
8585 49and establish appropriate policies to manage the risk of cybersecurity incidents for all
8686 50governmental entities; provided, however, that such recommendations, policies and directives
8787 51shall be informed by information and best practices obtained through the established information
8888 52sharing network of local, state, federal and industry partners in which response team members
8989 53regularly participate.
9090 54 (d) The response team shall develop and maintain an updated cybersecurity incident
9191 55response plan for the commonwealth and submit such plan annually for review, not later than
9292 56November 1, to the governor and the joint committee on advanced information technology, the
9393 57internet and cybersecurity. The response team shall conduct tabletop exercises to test the plan at
9494 58least twice per year and shall conduct individual tabletop exercise testing with a subset of
9595 59governmental entities, as selected by the response team, at least quarterly. Said plan, which shall
9696 60not be a public record pursuant to chapter 66 or clause twenty-sixth of section 7 of chapter 4,
9797 61shall include, but not be limited to:
9898 62 (i) ongoing and anticipated cybersecurity incidents or cybersecurity threats;
9999 63 (ii) a risk analysis identifying the vulnerabilities of critical infrastructure and detailing
100100 64risk-informed recommendations to address such vulnerabilities;
101101 65 (iii) recommendations regarding the deployment of governmental entity resources and
102102 66security professionals in rapidly responding to such cybersecurity incidents or cybersecurity
103103 67threats;
104104 68 (iv) recommendations regarding best practices to minimize the impact of significant
105105 69cybersecurity threats to governmental entities; and 5 of 16
106106 70 (v) guidelines for governmental entities regarding communication with an individual or
107107 71entity that is demanding a payment of ransom related to a cybersecurity incident
108108 72 (e) In the event of a cybersecurity incident that threatens or results in a material
109109 73impairment of the infrastructure or services of a governmental entity or critical infrastructure, the
110110 74secretary of technology services and security shall, with the approval of the governor, serve as
111111 75the director of the response team; provided, however, that the secretary of technology services
112112 76and security may direct the response team to collaborate with other governmental entities,
113113 77including federal entities, that are not members of the response team as appropriate to respond to
114114 78a cybersecurity incident. The provisions of sections 18 through 25, inclusive, of chapter 30A
115115 79shall not apply to meetings, communications, deliberations or other activities of the response
116116 80team conducted in response to a cybersecurity incident under this subsection.
117117 81 (f) Governmental entities shall comply with all protocols and procedures established by
118118 82the response team and all related policies, standards and administrative directives issued by the
119119 83office pursuant to subsection (b) of section 3. The chief information officer or equivalent
120120 84responsible officer for any governmental entity shall, as soon as practicable, report any known
121121 85cybersecurity incident to the commonwealth security operations center, in a form to be
122122 86prescribed by the office. The commonwealth security operations center shall notify the response
123123 87team of all reported security threats or incidents as soon as practicable, but not later than 24
124124 88hours after receiving a report.
125125 89 (g) The commonwealth fusion center and the commonwealth security operations center
126126 90shall routinely exchange information with the response team and the federal cybersecurity and
127127 91infrastructure security agency related to cybersecurity threats and cybersecurity incidents that 6 of 16
128128 92have been reported to or discovered by their respective state agencies or reported to the response
129129 93team.
130130 94 (h) The office and the response team shall consult with the Massachusetts Cyber Center
131131 95and assist said center with efforts to foster cybersecurity resiliency through communications,
132132 96collaboration and outreach to governmental entities, educational institutions and industry
133133 97partners.
134134 98 (i) The secretary of technology services and security shall promulgate regulations or
135135 99directives to carry out the purposes of this section.
136136 100 Section 14. Critical Infrastructure Cyber Incident Reporting Requirements
137137 101 (a) As used in this section, the following words shall have the following meanings unless
138138 102the context clearly requires otherwise:
139139 103 “Covered entity”, any entity that owns or operates critical infrastructure.
140140 104 “Secretary”, the secretary of the executive office of public safety and security.
141141 105 (b) A covered entity shall provide notice, as soon as practicable and without unreasonable
142142 106delay, when such covered entity knows or has reason to know of a cybersecurity incident to the
143143 107commonwealth fusion center in a form to be prescribed by the secretary in consultation with the
144144 108response team; provided, however, that such notice shall include, but not be limited to:
145145 109 (i) a timeline of events as best known by the covered entity and the type of cybersecurity
146146 110incident known or suspected;
147147 111 (ii) how the cybersecurity incident was initially detected or discovered; 7 of 16
148148 112 (iii) a list of the specific assets that have been affected or are suspected to be affected;
149149 113 (iv) copies of any electronic communications that are suspected of being malicious, if
150150 114applicable;
151151 115 (v) copies of any malware, threat actor tool or malicious links suspected of causing the
152152 116cybersecurity incident, if applicable;
153153 117 (vi) any digital logs such as firewall, active directory or event logs, if available;
154154 118 (vii) forensic images of random access memory or virtualized random access memory
155155 119from affected systems, if available;
156156 120 (viii) contact information for the covered entity and any third-party entity engaging in
157157 121cybersecurity incident response that is involved; and
158158 122 (ix) any other information related to the cybersecurity incident as required by the
159159 123secretary.
160160 124 Any notice provided by a covered entity under this subsection shall not be a public record
161161 125pursuant to chapter 66 or clause twenty-sixth of section 7 of chapter 4.
162162 126 (c) Upon receipt of said notice, the representative of the commonwealth fusion center to
163163 127the response team or their designee shall:
164164 128 (i) create and maintain a record of the cybersecurity incident, including all information
165165 129provided by the covered entity in the notice under subsection (b); and
166166 130 (ii) provide a copy of said record to the response team, which shall be included in the
167167 131response team’s annual cyber incident response plan required pursuant to subsection (d) of 8 of 16
168168 132section 13; provided, however, that such copy shall not include any information identifiable to
169169 133the covered entity that is not expressly necessary for the preparation of the response team’s
170170 134report unless the covered entity has provided affirmative consent to share such information.
171171 135 (d) Upon receipt of the notice required by subsection (b), the commonwealth fusion
172172 136center may:
173173 137 (i) coordinate with the response team to identify or communicate recommended response
174174 138measures as appropriate;
175175 139 (ii) assist the covered entity with implementing recommended response measures as
176176 140appropriate, alone or in conjunction with: (A) any agency or entity represented in the response
177177 141team; (B) any local law enforcement agency; (C) private individuals and other entities at the
178178 142discretion of the secretary; or (D) the Massachusetts Cyber Center; and
179179 143 (iii) provide, at the discretion of the secretary, information about other entities that are
180180 144capable of providing mitigation and remediation support following a cybersecurity incident or in
181181 145response to a cybersecurity threat.
182182 146 (e) Nothing in this section shall be construed to:
183183 147 (i) fulfill any regulatory data breach reporting requirements pursuant to chapter 93H; or
184184 148 (ii) absolve any duty under applicable federal law to report a cybersecurity threat or
185185 149cybersecurity incident to the federal cybersecurity and infrastructure security agency.
186186 150 (f) This section shall not apply to a covered entity that reports the cybersecurity incident
187187 151to the federal cybersecurity and infrastructure security agency pursuant to the federal Cyber
188188 152Incident Reporting for Critical Infrastructure Act of 2022 and its implementing regulations. 9 of 16
189189 153 (g) The secretary, in consultation with the secretary of technology services and security,
190190 154shall promulgate regulations for the purposes of carrying out this section.
191191 155 SECTION 2. Section 1 of chapter 93H of the General Laws, as appearing in the 2022
192192 156Official Edition, is hereby amended by inserting after the definition of “Agency” the following
193193 157definition:-
194194 158 “Biometric information”, a retina or iris scan, fingerprint, voiceprint, map or scan of hand
195195 159or face geometry, vein pattern, gait pattern or other data generated from the specific technical
196196 160processing of an individual’s unique biological or physiological patterns or characteristics used
197197 161to authenticate or identify a specific individual; provided, however, that “biometric information”
198198 162shall not include:
199199 163 (i) a digital or physical photograph;
200200 164 (ii) an audio or video recording; or
201201 165 (iii) data generated from a digital or physical photograph, or an audio or video recording,
202202 166unless such data is generated to authenticate or identify a specific individual.
203203 167 SECTION 3. Said section 1 of said chapter 93H, as so appearing, is hereby further
204204 168amended by striking out the definition of “Breach of security” and inserting in place thereof the
205205 169following definition:-
206206 170 “Breach of security”, the unauthorized acquisition or use of unencrypted electronic data,
207207 171or encrypted electronic data when the encryption key or security credential has been acquired;
208208 172provided, however, that such unauthorized acquisition or use compromises the security,
209209 173confidentiality or integrity of personal information maintained by a person or agency; and 10 of 16
210210 174provided further, that a good faith but unauthorized acquisition of personal information by an
211211 175employee or agent of a person or agency for the lawful purposes of such person or agency is not
212212 176a breach of security unless the personal information is used in an unauthorized manner or subject
213213 177to further unauthorized disclosure.
214214 178 SECTION 4. Said section 1 of said chapter 93H, as so appearing, is hereby further
215215 179amended by inserting after the definition of “Encrypted” the following 3 definitions:-
216216 180 “Genetic information”, information, regardless of format, that:
217217 181 (i) results from the analysis of a biological sample of an individual or from another
218218 182source enabling equivalent information to be obtained; and
219219 183 (ii) concerns an individual’s genetic material, including, but not limited to,
220220 184deoxyribonucleic acids, ribonucleic acids, genes, chromosomes, alleles, genomes, alterations or
221221 185modifications to deoxyribonucleic acids or ribonucleic acids, single nucleotide polymorphisms,
222222 186uninterpreted data that results from analysis of the biological sample or other source or any
223223 187information extrapolated, derived or inferred therefrom.
224224 188 "Health insurance information”, an individual’s health insurance policy number,
225225 189subscriber identification number or any identifier used by a health insurer to identify the
226226 190individual.
227227 191 “Medical information”, information regarding an individual’s medical history, mental or
228228 192physical condition or medical treatment or diagnosis by a healthcare professional. 11 of 16
229229 193 SECTION 5. Said section 1 of said chapter 93H, as so appearing, is hereby further
230230 194amended by striking out the definition of “Personal information” and inserting in place thereof
231231 195the following definition:-
232232 196 “Personal information” shall mean:
233233 197 (i) a resident’s first name and last name or first initial and last name in combination with
234234 198any 1 or more of the following data elements that relate to such resident:
235235 199 (A) social security number;
236236 200 (B) taxpayer identification number or identity protection personal identification number
237237 201issued by the Internal Revenue Service;
238238 202 (C) driver’s license number, passport number, military identification number, state-issued
239239 203identification card number or other unique identification number issued by the government that
240240 204is commonly used to verify the identity of a specific individual;
241241 205 (D) financial account number, or credit or debit card number, with or without any
242242 206required security code, access code, personal identification number or password, that would
243243 207permit access to a resident's financial account;
244244 208 (E) biometric information;
245245 209 (F) date of birth;
246246 210 (G) genetic information;
247247 211 (H) health insurance information; 12 of 16
248248 212 (I) medical information; or
249249 213 (J) specific geolocation information; or
250250 214 (ii) a username or electronic mail address, in combination with a password or security
251251 215question and answer, that would permit access to an online account.
252252 216 SECTION 6. Said section 1 of said chapter 93H, as so appearing, is hereby further
253253 217amended by inserting after the definition of “Personal information” the following definition:-
254254 218 “Specific geolocation information”, information derived from technology including, but
255255 219not limited to, global positioning system level latitude and longitude coordinates or other
256256 220mechanisms that directly identify the specific location of an individual within a geographic area
257257 221that is not greater than the area of a circle with a radius of 1,850 feet; provided, however, that
258258 222“specific geolocation information” shall exclude the content of communications or any
259259 223information generated by or connected to advanced utility metering infrastructure systems or
260260 224equipment for use by a utility.
261261 225 SECTION 7. Section 2 of said chapter 93H, as so appearing, is hereby amended by
262262 226adding the following new subsection:-
263263 227 (d) The rules and regulations adopted pursuant to this section shall be updated from time
264264 228to time to reflect any changes to the definitions of “breach of security” or “personal information”
265265 229in section 1.
266266 230 SECTION 8. Section 3 of said chapter 93H, as so appearing, is hereby amended by
267267 231striking out subsection (b) and inserting in place thereof the following subsection:- 13 of 16
268268 232 (b) A person or agency that owns or licenses data that includes personal information
269269 233about a resident of the commonwealth shall provide notice, as soon as practicable and without
270270 234unreasonable delay, when such person or agency: (i) knows or has reason to know of a breach of
271271 235security; or (ii) knows or has reason to know that the personal information of such resident was
272272 236acquired or used by an unauthorized person or used for an unauthorized purpose and such use or
273273 237acquisition presents a reasonably foreseeable risk of financial, physical, reputational or other
274274 238cognizable harm to the resident, the attorney general, the Federal Bureau of Investigation and
275275 239the director of consumer affairs and business regulation, in accordance with this chapter. The
276276 240notice to be provided to the attorney general, Federal Bureau of Investigation and said director,
277277 241and consumer reporting agencies or state agencies if any, shall include, but not be limited to: (i)
278278 242the nature of the breach of security or unauthorized acquisition or use; (ii) the number of
279279 243residents of the commonwealth affected by such incident at the time of notification; (iii) the
280280 244name and address of the person or agency that experienced the breach of security; (iv) the name
281281 245and title of the person or agency reporting the breach of security and their relationship to the
282282 246person or agency that experienced the breach of security; (v) the type of person or agency
283283 247reporting the breach of security; (vi) the person responsible for the breach of security, if known;
284284 248(vii) the type of personal information compromised, including, but not limited to, any of the
285285 249categories of personal information set forth in the definition of “personal information” in section
286286 2501; (viii) whether the person or agency maintains a written information security program; and (ix)
287287 251any steps the person or agency has taken or plans to take relating to the incident, including
288288 252updating such written information security program. A person who experienced a breach of
289289 253security shall file a report with the attorney general and the director of consumer affairs and
290290 254business regulation certifying their credit monitoring services comply with section 3A; provided, 14 of 16
291291 255however, that such a report shall not be required if the personal information compromised by the
292292 256breach of security is medical information or specific geolocation information.
293293 257 Upon receipt of this notice, the director of consumer affairs and business regulation shall
294294 258identify any relevant consumer reporting agency or state agency, as deemed appropriate by said
295295 259director, and forward the names of the identified consumer reporting agencies and state agencies
296296 260to the notifying person or agency. Such person or agency shall, as soon as practicable and
297297 261without unreasonable delay, also provide notice, in accordance with this chapter, to the consumer
298298 262reporting agencies and state agencies so identified.
299299 263 The notice to be provided to the resident shall include, but not be limited to: (i) the date,
300300 264estimated date or estimated date range of the breach of security; (ii) the type of personal
301301 265information compromised, including, but not limited to, any of the categories of personal
302302 266information set forth in subclauses (A) through (J) of clause (i) or in clause (ii) of the definition
303303 267of “personal information” in section 1; (iii) a general description of the breach of security; (iv)
304304 268information that the resident can use to contact the person or agency reporting the breach of
305305 269security; (v) the resident’s right to obtain a police report; (vi) how a resident may request a
306306 270security freeze and the necessary information to be provided when requesting the security freeze;
307307 271(vii) a statement that there shall be no charge for a security freeze; (viii) mitigation services to be
308308 272provided pursuant to this chapter; and (ix) the toll-free number, address and website for the
309309 273federal trade commission; provided, however, that the notice shall not be required to include
310310 274information pursuant to clauses (vi) and (vii) if the personal information compromised by the
311311 275breach of security is medical information or specific geolocation information. 15 of 16
312312 276 The person or agency that experienced the breach of security shall provide a sample copy
313313 277of the notice it sent to consumers to the attorney general and the office of consumer affairs and
314314 278business regulation. A notice provided pursuant to this section shall not be delayed on grounds
315315 279that the total number of residents affected is not yet ascertained. In such case, and where
316316 280otherwise necessary to update or correct the information required, a person or agency shall
317317 281provide additional notice as soon as practicable and without unreasonable delay upon learning
318318 282such additional information.
319319 283 If the breach of security involves log-in credentials pursuant to clause (ii) of the
320320 284definition of “personal information” in section 1 for an online account and no other personal
321321 285information, the person or agency may comply with this chapter by providing notice in electronic
322322 286or other form; provided, however, that such notice shall direct the resident whose personal
323323 287information has been breached to: (i) promptly change the resident’s password and security
324324 288question or answer, as applicable; or (ii) take other steps appropriate to protect the affected
325325 289online account with the person or agency and all other online accounts for which the resident
326326 290whose personal information has been breached uses the same username or electronic mail
327327 291address and password or security question or answer.
328328 292 If the breach of security involves the log-in credentials, pursuant to clause (ii) of the
329329 293definition of “personal information” in section 1, of an electronic mail account furnished by a
330330 294person or agency, the person or agency shall not comply with this chapter by providing notice of
331331 295the breach of security to such electronic mail address but shall instead provide notice by another
332332 296acceptable method of notice pursuant to this chapter or by clear and conspicuous notice delivered
333333 297to the resident online when the resident is connected to the online account from an internet 16 of 16
334334 298protocol address or online location from which the person or agency knows the resident
335335 299customarily accesses the account.