What to Know About

Why Massachusetts Schools Must Prioritize M.G.L. 93H Compliance

What to Know About M.G.L. 93H for Massachusetts School Data Privacy involves three critical requirements:

1. Implement a Written Information Security Program (WISP) with administrative, technical, and physical safeguards.
2. Report data breaches promptly to the Attorney General's Office, the Office of Consumer Affairs, and affected residents.
3. Dispose of personal information securely by shredding paper documents and permanently erasing electronic data.

Massachusetts schools face a significant compliance challenge. While FERPA protects student education records federally, M.G.L. Chapter 93H (the Massachusetts Data Security Law) is broader, covering any personal information of Massachusetts residents, including students, parents, and staff.

The stakes are high. Since the law's 2010 deadline, the Massachusetts Attorney General's Office has been notified of over 21,000 breaches. For K-12 districts, a single breach can lead to financial penalties, loss of community trust, and harm to families.

Crucially, M.G.L. 93H provides no exemptions for educational institutions. Your district must create a comprehensive security program and comply with the same rigorous standards as banks and healthcare providers, often with limited IT budgets and staff. This means protecting everything from student Social Security numbers to parent contact information and staff payroll data.

Compliance is achievable with the right approach. This guide breaks down what Massachusetts schools need to know about M.G.L. 93H, from defining "personal information" to building an effective WISP.

Key terms for What to Know About M.G.L. 93H for Massachusetts School Data Privacy:

• All About Illinois’ Data Breach Law: Requirements for K–12 Districts
• All About Oregon’s Data Breach Notification Law for Schools
• What to Know About Code of Virginia § 22.1-287.02: Student Data Breach Notifications

Understanding M.G.L. Chapter 93H and Its Core Concepts

Understanding the law's core components is the first step toward compliance. M.G.L. Chapter 93H has two main functions: preventing breaches and ensuring a proper response when they occur.

What is M.G.L. Chapter 93H?

Massachusetts General Law Chapter 93H is the Commonwealth's data security and breach notification law. Paired with its regulations, 201 CMR 17.00, it creates a framework to protect residents from identity theft. Critically for schools, the law applies to any organization holding personal information of Massachusetts residents, with no exemptions for educational institutions.

The law's Data Security Regulations (201 CMR 17.00) require organizations to implement reasonable administrative, technical, and physical safeguards. The Breach Notification Law portion dictates the required response to a breach, including who to notify and when. School administrators are legally obligated to maintain a comprehensive security program and a clear breach response plan.

Defining 'Personal Information' Under the Law

M.G.L. 93H specifically protects "personal information" (PI), defined as a Massachusetts resident's first name and last name (or first initial and last name) combined with one or more of the following:

• Social Security number
• Driver's license number or state-issued ID number
• Financial account number (such as a credit or debit card number)

The key is the combination. A list of student names alone is not PI, but a list of names with Social Security numbers is. Schools regularly handle this data in student enrollment forms, parent payment systems, and staff payroll records. Data on staff members is also covered. Understanding this definition is the first step in identifying what data needs protection. For more on this topic, see our guide on Sensitive Data Definition and Types.

What Constitutes a 'Security Breach' for a School?

A security breach is the unauthorized acquisition or use of unencrypted personal information, or encrypted data if the key is also compromised. The event must create a "substantial risk of identity theft or fraud." Proof of actual fraud is not required; if the data could be used for identity theft, it's a breach.

Common school scenarios that constitute a breach include:

• A stolen laptop with unencrypted student records.
• A successful phishing attack where an attacker gains access to a student information system. Phishing is a major threat; getting a complimentary phishing audit can reveal your district's vulnerability.
• Ransomware incidents that compromise the confidentiality of personal information.
• Unauthorized internal access, such as a staff member viewing records without a legitimate reason.

If personal information is compromised, you must treat it as a potential breach and follow the law's notification requirements. For more context, explore our guide on Cybersecurity for Educational Institutions.

Key Compliance Requirements for Massachusetts Schools

The core of What to Know About M.G.L. 93H for Massachusetts School Data Privacy is proactive protection. Compliance is about building a safety net for your students, parents, and staff.

Developing a Written Information Security Program (WISP)

A Written Information Security Program (WISP) has been a mandatory requirement since March 1, 2010. This document must be custom to your school's specific size, resources, and risks.

A WISP must include:

• Administrative Safeguards: Policies and procedures.
• Technical Safeguards: Technology-based protections.
• Physical Safeguards: Security for buildings and equipment.

Key components of an effective WISP include a thorough risk assessment, regular employee training, scrutiny of third-party vendor contracts, a clear incident response plan, and data retention and disposal policies. For a comprehensive guide to building your security framework, explore our Data Security and Privacy Plan.

[LIST] of Mandated Computer System Security Requirements

The regulations (201 CMR 17.00) mandate specific technical security requirements for all computer systems. These are not optional.

• Secure user authentication: Enforce strong passwords and account lockouts after multiple failed login attempts.
• Access control measures: Limit data access based on job roles and review permissions regularly.
• Encryption of data in transit: Encrypt personal information transmitted over public networks.
• Network monitoring: Regularly review system activity logs to detect unauthorized access.
• Firewall protection: Maintain and update firewalls to block malicious traffic.
• Up-to-date antivirus software: Ensure all applicable computers have the latest virus definitions and security patches.

For more on protecting your school's technology, see our guide on Cybersecurity for Educational Institutions.

Proper Disposal of Personal Information

M.G.L. 93H mandates how personal information is destroyed. Simply deleting files or recycling papers is not compliant.

• Paper documents must be made unreadable, typically through cross-cut shredding or pulverizing. Using a professional service that provides a certificate of destruction is a best practice.
• Electronic media requires secure disposal. Use data erasure software to overwrite the data, or physically destroy old hard drives and media (e.g., degaussing, drilling).

Your WISP must include clear record retention policies to ensure data is not kept longer than necessary. Minimizing stored data reduces risk.

Responding to a Data Breach Under M.G.L. 93H

Even with strong defenses, breaches can happen. When they do, What to Know About M.G.L. 93H for Massachusetts School Data Privacy shifts from prevention to a legally mandated response. Following the correct procedures is critical to managing the crisis.

Breach Notification Timelines and Procedures

When a breach is suspected, you must act quickly. M.G.L. 93H requires notification "as soon as practicable and without unreasonable delay."

Your immediate steps should be to:

1. Investigate to determine if a breach occurred and understand its scope.
2. Secure your systems to prevent further data loss.

Notification can only be delayed if requested in writing by law enforcement for a criminal investigation. If the breach involves Social Security numbers, you are required to offer affected individuals at least 12 months of free credit monitoring services. Document every step of your investigation and response. After the crisis, conduct a post-incident review to identify and implement security improvements.

Who to Notify: A School's Reporting Checklist

Massachusetts law requires reporting a data breach to several parties. You must provide written notice to:

• The Massachusetts Attorney General's Office
• The Office of Consumer Affairs and Business Regulation (OCABR)

This notice must describe the breach, the number of residents affected, and your mitigation steps. Reporting can be done via the state's online data breach notification portal. You must also send clear notices to all affected Massachusetts residents. If a third-party vendor has a breach involving your school's data, they are legally required to handle these notifications, a responsibility that must be defined in your contracts.

Penalties for Non-Compliance

Non-compliance with M.G.L. 93H carries serious consequences:

• Civil Penalties: The Attorney General can pursue fines under M.G.L. Chapter 93A, the Consumer Protection Act.
• Lawsuits: Affected residents can sue the school district for damages.
• Indirect Financial Costs: These include breach investigation, legal fees, mandated credit monitoring, and security upgrades.
• Reputational Harm: A breach can severely damage trust with parents, staff, and the community.

Compliance is about protecting your community, not just avoiding penalties. To understand your district's vulnerability to common breach causes like phishing, consider a complimentary phishing audit to assess your risk.

Navigating M.G.L. 93H and Other Education Privacy Laws

For Massachusetts schools, M.G.L. 93H is part of a complex web of privacy regulations. Understanding how these laws interact is essential for comprehensive compliance.

M.G.L. 93H vs. FERPA: What Schools Need to Know

Massachusetts schools must comply with both the federal Family Educational Rights and Privacy Act (FERPA) and the state's M.G.L. 93H. The laws are complementary.

• FERPA protects the privacy of student education records, granting parents and eligible students rights to access and control disclosure. Learn more in our guide, FERPA: The Federal Student Privacy Law That Still Matters in 2025.
• M.G.L. 93H has a broader scope, protecting the personal information of any Massachusetts resident (students, parents, staff) and focusing on security measures and breach notification.

Key differences include:

• Data Covered: FERPA covers "education records." M.G.L. 93H covers "personal information" (e.g., name + SSN), which includes data like parent financial details.
• Breach Notification: FERPA has no mandatory breach notification rule. M.G.L. 93H has strict, mandatory notification requirements.
• Enforcement: FERPA is enforced by the U.S. Department of Education. M.G.L. 93H is enforced by the MA Attorney General.

Schools must adhere to both. FERPA governs access rights, while M.G.L. 93H sets security and breach response standards.

Interaction with Massachusetts Student Records Regulations

The Massachusetts Student Records Regulations, 603 CMR 23.00, add another layer of compliance, governing the management of student records.

• 603 CMR 23.00 dictates what records to keep and for how long (e.g., transcripts permanently).
• M.G.L. 93H dictates how to secure those records and how to destroy them securely.

These regulations also provide state-specific guidance on record access and amendment rights. For more details, see our guide on 603 CMR 23.00 Student Records Regulations in Massachusetts.

Special Implications for Educational Institutions

A critical point is that M.G.L. 93H provides no exemptions for educational institutions. Schools are held to the same data security standards as banks, despite often having limited budgets.

Key considerations for schools include:

• EdTech Vendor Security: Your WISP must include procedures for vetting third-party vendors. Contracts must require vendors to protect data and outline their breach responsibilities.
• Cloud Services: Data stored in the cloud is subject to the same M.G.L. 93H protections as data on local servers.

Cybersecurity is no longer just an IT issue; it is a core part of institutional resilience. For more on this, read Cybersecurity is Now Disaster Preparedness: A New Playbook for K-12 Leaders. While demanding, compliance is achievable and essential for protecting your school community.

Ready to strengthen your district's M.G.L. 93H compliance? Connect with CyberNut for expert help building your WISP, training staff, and improving controls at https://www.cybernut.com/.

Want a fast way to gauge risk and educate staff? Request a complimentary phishing audit at https://www.cybernut.com/phishing-audit to identify vulnerabilities and targeted training needs.