first name (or initial) and last name, in combination with the resi-
dent’s Social Security number, driver’s license number or state-
issued ID card number, or financial account number or credit/
debit card number. According to the state regulations implement-
ing the Massachusetts Data Security Law, a WISP must include:
• Designating one or more employees to maintain and super-
vise WISP implementation and performance;
• Identifying and assessing reasonably foreseeable internal
and external risks to the security, confidentiality, and/or integrity
of any electronic, paper, or other records containing PI;
• Evaluating and improving the effectiveness of the current
safeguards for limiting security risks, including proper training
of employees on the importance of data security and reviewing
means for detecting and preventing security system failures;
• Developing security policies for employees relating to the
storage, access, and transportation of records containing PI;
• Imposing disciplinary measures for violations of your WISP
rules;
• Preventing terminated employees from accessing records
containing PI;
• Taking reasonable steps to select and oversee third-party ser-
vice providers who have access or your PI; and
• Reviewing the scope of the security measures at least annu-
ally or whenever there is a material change in business practices
that may reasonably implicate the security or integrity of records
containing PI.
We typically encourage employers to work with counsel when
they are developing a written information security program, as
it must be designed to address the businesses’ risk profile while
considering compliance obligations under the Massachusetts
Data Security Law and Regulations.
What to Do If You Experience a Data
Breach
If your business experiences a data breach, having a compli-
ant WISP in place — while helpful — is not enough to meet your
obligations under the Massachusetts Data Security Law. If a
business knows or has reason to know they have experienced a
data breach, the business must promptly notify the state Attorney
General’s Office as well as all affected employees with written
notice.
The notice to the Attorney General’s Office must explain the
nature of the security breach or unauthorized access or use of
PI, the number of Massachusetts residents affected by such inci-
dent at the time of notification, the person responsible for the
incident (if known), the type of PI compromised, and all the steps
the business has taken or plans to take relating to the incident,
including maintaining and updating the WISP.
As for the employee notice, that must include information
regarding he resident’s right to obtain a police report; how the
resident can request a credit freeze, the information a resident
will need to request a credit freeze; and that there is no fee for
requesting, temporarily lifting, or permanently removing a secu-
rity freeze with any of the consumer reporting agencies.
When a breach occurs, we recommend working with those
who are experienced in supervising and conducting a prompt
and effective data breach response. This may involve interviewing
employees, working with IT staff or external forensics investiga-
tors to determine the nature and extent of the breach, drafting
and submitting required notices to affected individuals and the
Massachusetts Attorney General’s Office, and revising policies
and procedures to prevent future data breaches. BW
John Gannon is a partner with Skoler, Abbott & Presser, P.C.,
a Springfield-based law firm exclusively practicing labor and
employment law for more than a half-century, focusing on
litigation avoidance, employment litigation, and labor law
and relations. He specializes in employment law and regularly
counsels employers on compliance with state and federal
laws; (413) 737-4753.
“If a business
knows or has
reason to know
they have
experienced a
data breach, the
business must
promptly notify
the state Attorney
General’s Office as
well as all affected
employees with
written notice.”
Experience Matters.
Experience Skoler Abbott.
For over 60 years, businesses across Massachusetts
have relied on Skoler Abbott’s experience in all areas
of labor and employment law, including:
The BEST Residential HVAC
Team in the Industry
With years of experience under
our belt, your home’s needs are
in capable hands. Ours.
• Indoor Air Quality
• Heating & Cooling
Systems
• Plumbing Services
v Legal compliance reviews, opinions and advice
v Zealous defense and advocacy in government
investigations, administrative proceedings and
litigation
v Labor relations disputes, arbitrations and
collective bargaining
v Staff and supervisor training on wage/hour laws,
leave management, harassment, etc.
Put our experience to work for you.
One Monarch Place
Springfield, MA 01144
P 413.737.4753
SKOLER-ABBOTT.COM
westernmassheatingcooling.com • 413-268-7777
Business W est << LAW >>
APRIL 27, 2026
27