
On January 3, The Massachusetts Office of Consumer Affairs and Business Regulation announced that it will report all data breaches to a publicly accessible state website. Previously, this information could only be obtained with a public record request. Just before this, forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands enacted laws requiring companies transacting business with residents of their state to report data breaches.
Any law that intends to protect consumers is, on its face, a good one. But is the public data breach site going to have the effect intended? Faced with a public breach disclosure, there is a tendency for companies to seek to end the pain of public exposure as quickly as possible.