State notification register
Massachusetts data breach notification law: as soon as practicable and without unreasonable delay.
Massachusetts's breach-notification obligations are set by Mass. Gen. Laws ch. 93H (paired with 201 CMR 17.00 data-security regulations). This page summarises the deadline to notify affected residents, the attorney general notification threshold, whether a private right of action exists, and the penalties for late or missing notification. Every provision is cited to its source statute and was verified in June 2026.
Individual deadline
No fixed day
Without unreasonable delay
AG notification
Required
All breaches (AG and Office of Consumer Affairs and Business Regulation)
Private action
Yes
Chapter 93A claims, subject to a 30-day pre-suit demand letter requirement
Statute
MA
Mass. Gen. Laws ch. 93H
Section MA.1
What the statute requires
Under Mass. Gen. Laws ch. 93H, the paired with 201 CMR 17.00 data-security regulations, a business that owns or licenses computerized personal information of Massachusetts residents must notify affected individuals as soon as practicable and without unreasonable delay.
Attorney general or state-agency notification is all breaches (ag and office of consumer affairs and business regulation). Where required, the timeline is: as soon as practicable and without unreasonable delay.
Section MA.2
What triggers notification
Like most US state statutes, notification is triggered by the unauthorized acquisition of unencrypted, unredacted computerized personal information that compromises its security, confidentiality, or integrity. Two concepts recur across the states and apply here.
Encryption safe harbor
Personal information that was encrypted, and where the encryption key was not also acquired, generally does not trigger notification. A stolen device with full-disk encryption is typically a non-event; an unencrypted record, or an encrypted record where the key was exposed alongside it, is a reportable breach.
Who must be notified
- [1] Affected Massachusetts residents: without unreasonable delay
- [2] Attorney general / state agency: all breaches (ag and office of consumer affairs and business regulation)
- [3] Consumer reporting agencies where the breach is large-scale
Section MA.3
Penalties and enforcement
Up to $5,000 per violation; treble damages for willful violations, plus attorney fees.
Private right of action: Yes. Chapter 93A claims, subject to a 30-day pre-suit demand letter requirement.
Primary source:Massachusetts statute Mass. Gen. Laws ch. 93H (paired with 201 CMR 17.00 data-security regulations); verified June 2026 against state statutory summaries and the underlying statute text.
Section MA.4
How this compares to the strictest states
The strictest US deadlines are 30 days (California, Florida, Washington, Colorado, Maine, New York, New Jersey). The majority of states use a qualitative "without unreasonable delay" standard with no fixed day cap. Here is where Massachusetts sits.
Massachusetts does not set a numeric deadline. It uses a "without unreasonable delay" standard, which regulators interpret as days to weeks, not months. Organizations operating across multiple states should default to the strictest applicable clock, which can be as short as 30 days in states such as California, Colorado, Florida.
Cross-references
Index / All 50 states + DC
→The full register: deadline and AG threshold for every state.
Schedule 09 / Notification laws
→Global frameworks and the cost of notification.
01 / Breach cost calculator
→Estimate your Massachusetts breach exposure, including notification cost.
Regulation / GDPR
→The 72-hour clock and 4%-of-revenue fine framework.
Cost / Notification
→Why notification is roughly 6% of total breach cost.
Schedule F / Reference Q&A
Frequently Asked Questions
Primary source:Massachusetts data breach notification statute (Mass. Gen. Laws ch. 93H). Provisions verified June 2026 against state statutory summaries (Recording Law US data-privacy series, 2026 edition), the IAPP US State Data Breach Notification Chart, Foley & Lardner's chart, and the underlying statute text.