Massachusetts Amends Data Breach Notification Law

Written by

Massachusetts Governor Charlie Baker has signed legislation amending the state’s data breach notification law, and the amendments will take effect on April 11, 2019. The new requirements relate to the timing and content of individual and regulator notifications, as well as credit monitoring services offered to affected residents. The key amendments include the following provisions.

No Fees for Security Freezes: The amended law does not allow consumer reporting agencies to charge fees for consumers who elect to place, lift, or remove a security freeze from their consumer report. Individual notification letters to affected residents must state that there shall be no charge to place a security freeze.

Required Credit Monitoring: Under the amended law, if Social Security numbers were disclosed or reasonably believed to have been disclosed in a breach, the entity must provide credit monitoring services to the affected residents at no cost for no less than 18 months (or, if the breach occurred at a consumer reporting agency, for a minimum of 42 months). The letter must also provide information on how to enroll in the credit monitoring services and how to place a security freeze on a consumer report. If applicable, entities must certify to state regulators that their credit monitoring services comply with these requirements.

Regulator Notice: The law adds to the list of information that must be included in notices to both the Massachusetts Attorney General and the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR), including whether the entity experiencing the breach maintains a written information security program, the person responsible for the breach (if known), and any steps that the entity has taken or plans to take relating to the incident.

Entities are also required to submit a sample of the notification letters that they send to residents, and the amended law stipulates that the OCABR shall post a copy of the letters online within one business day of receiving them. The OCABR will then update their online notification report once the OCABR has verified the information in the letter. The OCABR will also instruct consumers on how they may file a public records request to obtain a copy of the notice provided to the Attorney General and the OCABR from the entity that experienced the breach.

Timing of Notifications: Significantly, under the new law, an entity may not delay notification under the statute on the grounds that the total number of residents affected is not yet known. Instead, the entity must notify individuals and regulators, and then if there is a need to update or correct information required by the statute, the entity shall provide additional notice without unreasonable delay.

Affiliated Corporations: If an entity that experiences a breach is owned by another person or corporation, the new law requires that the notice to the consumer include the name of the parent or affiliated corporation.