On August 19, the Massachusetts attorney general announced a $795,000 settlement with a property management company for allegedly failing to protect the personal information of thousands of individuals after multiple data breaches. The attorney general also alleged the company delayed notification to affected consumers and the state after five separate cybersecurity incidents, which occurred between November 2019 and September 2021, compromised sensitive data including Social Security numbers, driver’s license numbers, and bank account information. The attorney general held the company violated the Massachusetts Consumer Protection Act and the Data Security Law, which require timely notification of breaches and adequate protection of personal information.

The breaches reportedly resulted from phishing emails, and the company failed to inform impacted individuals until nearly seven months after the first two incidents. If approved by the court, the settlement would require the company to implement certain cybersecurity measures, such as phishing protection software, multi-factor authentication, and annual security assessments for three years.