950 CMR, § 33.29
Any employee of an agency found breaching the confidentiality of data subjects through violation of these regulations shall be subject to reprimand, suspension, dismissal, or other disciplinary actions by the employer agency consistent with the rules and regulations of the Commonwealth governing its employees, and may be denied future contact with personal data and removed from holding responsibility.
Any agency which violates the terms of 950 CMR 33.00 may be liable to individuals injured, pursuant to M.G.L. c. 214, § 3B and may be subject to legal action to enjoin such violations brought by the Attorney General. Any entity other than an agency which violates any provision of these regulations shall be subject to a review and an investigation by the appropriate administrative agency of the State Secretary's office which may lead to suspension of any contractual relationship and to legal sanctions brought by the Attorney General.
950 CMR, § 33.29