ARTICLE
1 September 2025

Massachusetts AG Secures $795,000 Settlement For Alleged Data Security And Breach Notification Failures

SM
Sheppard, Mullin, Richter & Hampton LLP

Contributor

Sheppard, Mullin, Richter & Hampton LLP logo
Businesses turn to Sheppard to deliver sophisticated counsel to help clients move ahead. With more than 1,200 lawyers located in 16 offices worldwide, our client-centered approach is grounded in nearly a century of building enduring relationships on trust and collaboration. Our broad and diversified practices serve global clients—from startups to Fortune 500 companies—at every stage of the business cycle, including high-stakes litigation, complex transactions, sophisticated financings and regulatory issues. With leading edge technologies and innovation behind our team, we pride ourselves on being a strategic partner to our clients.
Explore Firm Details
On August 19, Massachusetts Attorney General Andrea Joy Campbell announced a $795,000 settlement with a property management company for alleged violations of the Massachusetts Consumer Protection Act...
United States Massachusetts Privacy
A.J. Dhaliwal,Mehul Madia, and Maxwell Earp-Thomas
Your Author LinkedIn Connections
Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • within Cannabis & Hemp topic(s)

On August 19, Massachusetts Attorney General Andrea Joy Campbell announced a $795,000 settlement with a property management company for alleged violations of the Massachusetts Consumer Protection Act, and the Massachusetts Data Security Law and Data Security Regulations. The AG alleged that the company failed to maintain reasonable data security practices and delayed required notifications to both regulators and consumers following multiple cybersecurity breaches.

According to the press release, the company manages hundreds of residential properties across Massachusetts and experienced five separate breaches between November 2019 and September 2021. Hackers accessed sensitive consumer personal information, including Social Security numbers, driver's license numbers, and bank account data, through phishing emails. Nearly 14,000 notice letters were ultimately sent to affected consumers, but two of the five breaches allegedly went unreported for almost seven months.

The consent judgement imposes the following requirements:

  • Monetary relief. The company must pay $795,000 to the Commonwealth.
  • Cybersecurity enhancements. The company is required to implement phishing protection, multi-factor authentication, a vulnerability management program, an asset inventory, and an intrusion detection and prevention system.
  • Security monitoring and assessments. The company must deploy a security incident and event management platform and conduct annual independent security assessments for three years.

Putting It Into Practice: Massachusetts remains highly active in consumer protection enforcement and legislative initiatives (previously discussed here and here). Property managers, financial institutions, and other businesses handling personal information should review existing safeguards against phishing and similar attacks, confirm that breach notification procedures meet state requirements, and ensure that monitoring and vulnerability management programs are current.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of A.J. Dhaliwal
A.J. Dhaliwal
Photo of Mehul Madia
Mehul Madia
Photo of Maxwell Earp-Thomas
Maxwell Earp-Thomas
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More