Previously, and in other states, what would happen is that once there was a data breach, then a company would have to take steps to correct the situation. This new law is more preemptive in nature, aiming to protect MA residents before they are victimized. Makes sense. However, it has the potential to cause huge legal problems for companies who are not in compliance. The law allows for a $5000 fine for businesses who are not prepared, but the law is unclear about whether that fine is per incident or per client who is victimized.