Law

How to Approach Data Security Concerns — and Compliance

By Contributor April 26, 2026

Safety First

By John S. Gannon, Esq.

Workplace privacy and data security are growing concerns for employers as they contend with advanced cybersecurity and ransomware threats, instant transfers of sensitive personnel information, an abundance of employee and medical information that needs to be protected, and laws that protect employees from intrusions into their privacy.

Employees regularly provide their employers with sensitive personal information, such as health records, Social Security numbers, and tax and payroll information. Businesses that fail to implement adequate security measures to safeguard this information can be held liable if this data is compromised.

For example, although not an employment case, in 2022, T-Mobile agreed to pay $350 million to settle a class action lawsuit focused on a 2021 data breach impacting more than 76 million people. And in 2023, Whole Foods paid $300,000 to settle a class action lawsuit brought by employees who claimed the grocery giant unlawfully collected voice data from employees who worked at the company’s distribution centers.

John S. Gannon

“Employees regularly provide their employers with sensitive personal information, such as health records, Social Security numbers, and tax and payroll information. Businesses that fail to implement adequate security measures to safeguard this information can be held liable if this data is compromised.”

In Massachusetts, the state’s Data Security Law and Regulations set stringent standards for the protection of personal information of Massachusetts residents (including employees) and mandate compliance from businesses handling such data. The law and regulations establish minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. They are aimed at ensuring the security and confidentiality of sensitive data and protecting against unauthorized access to, or use of, such information that may result in substantial harm or inconvenience to any Massachusetts resident.

The WISP Requirement

Under the Massachusetts Data Security Law and Regulations, if your business (wherever it’s located) collects, stores, or uses personal information about a Massachusetts resident, the business is required to implement and maintain a comprehensive written information security program (WISP). This includes employers who collect personal information about their workforce, which virtually all of them do.

The WISP is required to include administrative, technical, and physical safeguards for protection of personal information (PI) about a resident of the Commonwealth of Massachusetts.

For the purposes of the WISP, PI means a Massachusetts’ resident’s first name (or initial) and last name, in combination with the resident’s Social Security number, driver’s license number or state-issued ID card number, or financial account number or credit/debit card number. According to the state regulations implementing the Massachusetts Data Security Law, a WISP must include:

• Designating one or more employees to maintain and supervise WISP implementation and performance;

• Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing PI;

• Evaluating and improving the effectiveness of the current safeguards for limiting security risks, including proper training of employees on the importance of data security and reviewing means for detecting and preventing security system failures;

• Developing security policies for employees relating to the storage, access, and transportation of records containing PI;

• Imposing disciplinary measures for violations of your WISP rules;

• Preventing terminated employees from accessing records containing PI;

• Taking reasonable steps to select and oversee third-party service providers who have access or your PI; and

• Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing PI.

We typically encourage employers to work with counsel when they are developing a written information security program, as it must be designed to address the businesses’ risk profile while considering compliance obligations under the Massachusetts Data Security Law and Regulations.

What to Do If You Experience a Data Breach

If your business experiences a data breach, having a compliant WISP in place — while helpful — is not enough to meet your obligations under the Massachusetts Data Security Law. If a business knows or has reason to know they have experienced a data breach, the business must promptly notify the state Attorney General’s Office as well as all affected employees with written notice.

The notice to the Attorney General’s Office must explain the nature of the security breach or unauthorized access or use of PI, the number of Massachusetts residents affected by such incident at the time of notification, the person responsible for the incident (if known), the type of PI compromised, and all the steps the business has taken or plans to take relating to the incident, including maintaining and updating the WISP.

As for the employee notice, that must include information regarding he resident’s right to obtain a police report; how the resident can request a credit freeze, the information a resident will need to request a credit freeze; and that there is no fee for requesting, temporarily lifting, or permanently removing a security freeze with any of the consumer reporting agencies.

When a breach occurs, we recommend working with those who are experienced in supervising and conducting a prompt and effective data breach response. This may involve interviewing employees, working with IT staff or external forensics investigators to determine the nature and extent of the breach, drafting and submitting required notices to affected individuals and the Massachusetts Attorney General’s Office, and revising policies and procedures to prevent future data breaches.

John Gannon is a partner with Skoler, Abbott & Presser, P.C., a Springfield-based law firm exclusively practicing labor and employment law for more than a half-century, focusing on litigation avoidance, employment litigation, and labor law and relations. He specializes in employment law and regularly counsels employers on compliance with state and federal laws; (413) 737-4753.

How to Approach Data Security Concerns — and Compliance

Safety First

The WISP Requirement

What to Do If You Experience a Data Breach

Daily News

Springfield Regional Chamber to Host 2026 Spotlight, Annual Meeting on June 10

Greylock Federal Welcomes John Rose as Vice President, Consumer Lending

Beacon Bank to Present Virtual Workshop for First-time Homebuyers on June 16

T-Birds, Hampden County Sheriff’s Office Present $5,000 Donation to YWCA

Bulkley Richardson Welcomes Four Summer Associates

Forbes Library Trustees to Honor Debin Bruce, J.R. Greene

Greylock Federal Credit Union’s Shred Day Processes Five Tons of Paper

Amherst College Appoints Josh Jensen Vice President for Communications

UMassFive Invites Community to Family Fun Day on May 30

Hot Dogs for Hot Jobs to Connect Employers, Job Seekers on June 12

News

Contact

Departments

Events