Skip to Main Content

About

An image of a user holding a mobile phone

It is important that Commonwealth of Massachusetts departments immediately report any cyber incidents or other suspicious activity to departmental IT staff, even if the activity or email seems innocuous. Malware and ransomware often go undetected at first, so it is always safe to have your IT and security staff double check.

Since employees of the Commonwealth of Massachusetts are often using enterprise systems, it is also critical to notify the Executive Office of Technology and Security Services (EOTSS) and the Office of the Comptroller (CTR) to ensure enterprise systems are protected. Ransomware and other viruses can quickly spread and disrupt operations and compromise data.

In the event of a breach of personally identifiable information, Commonwealth of Massachusetts departments are legally required to notify certain agencies and affected residents.

If You Suspect a Suspicious Email or Potential Security/Fraud Incident

IT / Cyber Department Resource

Immediately report to your internal designated IT/Cyber department resource to review email or activity and implement Incident Response Plan.

EOTSS (For Executive Departments)

This guide will outline the method for alerting the appropriate Executive Office of Technology Services and Security (EOTSS) personnel if you believe you have received a phishing email.

Office of the Comptroller

Report the nature of the incident or suspicious activity to the Office of the Comptroller at [email protected]. CTR can determine risks to enterprise systems and assist with internal controls and remediation. This includes suspicious emails, phishing attempts to misdirect payments or obtain credentials, or other fraud.

Additional Law Enforcement and Fraud Reporting

For fraud against a department, file a cyber-fraud report with the local police department in the city or town where fraud occurs.

Federal Bureau of Investigation

The FBI encourages reporting of suspicious activity, including cyber incidents or fraud.

VISIT IC3.GOV
MS-ISAC

The MS-ISAC Security Operations Center is available 24/7 by phone 866-787-4722 or email.

EMAIL MS-ISAC

Monetary Losses - Internal Control Reporting

Commonwealth of Massachusetts departments are required to report unaccounted for variances, losses, or financial shortages due to a cyber incident or other fraud to the State Auditor’s Office using this form.

Send a copy of the form to the Office of the Comptroller.

If an Incident Results in a Data Breach of Personally Identifiable Information Under M.G.L. C. 93h, Additional Reporting Is Required to the Following Entities:

Attorney General's Office

If you know or have reason to know that your organization has experienced a data breach covered by the Breach Notification Law, you must notify the Attorney General’s Office.

VISIT ON MASS.GOV

Office of Consumer Affairs and Business Regulation

If you know or have reason to know that your organization has experienced a data breach covered by the Breach Notification Law, you must notify the Office of Consumer Affairs and Business Regulation.

VISIT ON MASS.GOV

Affected Massachusetts residents

If you know or have reason to know that your organization has experienced a data breach covered by the Breach Notification Law, you must notify all affected residents with a written Consumer Notice.

VISIT ON MASS.GOV

Other resources

Requirements for Data Breaches

View more information about data breaches and what the law defines as personal information.

VISIT ON MASS.GOV

Obligations Under the Data Security Regulations and Breach Notification Law

The Data Security Regulations tell you what you must do to prevent a data breach and the Breach Notification Law tells you what you must do when a breach happens.

VISIT ON MASS.GOV

Security Breach Compliance

Chapter 93H Section 3

VISIT ON MALEGISLATURE.GOV