Massachusetts recently updated its breach notification statute, requiring an organization to provide additional services for individuals and greater disclosures to state regulators when a data breach occurs. The changes come as part of H.B. 4806, enacted on January 10, 2019, which amends the Bay State's data breach notification statute (Mass. Gen. Laws ch. 93 H, §§ 1–6).

The changes go into effect on April 10, 2019. As described below, organizations and companies that have personal information of Massachusetts residents will need to adjust their notification procedures by that date to come into compliance with the revised law.

New Credit Monitoring Requirement When Social Security Numbers Are Involved

Under the amendments, if an organization or business knows or has reason to know a breach of security included Massachusetts residents' Social Security numbers, it must provide credit monitoring services at no cost to the affected residents. Those credit monitoring services typically must be provided for at least 18 months.

A consumer reporting agency that experiences a data breach must provide free credit monitoring services for at least 42 months. Importantly, credit monitoring services must be provided by a third party – that is, the breached entity cannot use its own credit monitoring to satisfy the new statutory requirement.

New Consumer Notice Requirements

The revised law requires an entity to inform Massachusetts residents of the mitigation services that will be provided to residents, such as credit monitoring services, and tell consumers that there is no charge if an individual places a security freeze on his or her credit with a consumer reporting agency in response to the data incident. If credit monitoring services are provided, the entity must also provide residents with all the necessary information to enroll in credit monitoring services.

The new language regarding security freezes comports with the federal Economic Growth, Regulatory Relief, and Consumer Protection Act, which prohibits consumer reporting agencies from charging fees to consumers to place or lift freezes on their credit files.

New Government Notice Requirements

Massachusetts' statute currently requires an organization or business to inform the state Attorney General and the Office of Consumer Affairs and Business Regulation (OCABR) of a breach of personal information if any state resident is notified. The entity may also need to notify consumer reporting agencies or additional state agencies of the breach if so directed by the Director of OCABR.

The amendments expanded the content of these notifications to further include:

  • the entity's name and address;
  • the name and title of the person or agency reporting the breach, and their relationship to the entity that experienced the breach;
  • the type of person or agency reporting the breach;
  • the person responsible for the breach of security, if known;
  • the type of personal information compromised, including, but not limited to, social security number, driver's license number, financial account number, credit or debit card number, or other data;
  • whether the entity maintains a written information security program; and
  • any steps the entity has taken or plans to take relating to the incident, including updating the written information security program.

The entity must also file a report with the Attorney General and the OCABR certifying that the credit monitoring services provided to affected residents comply with the new requirements of the statute.

Companies affected by these new requirements are advised to discuss with experienced legal counsel how the new statutory requirements may affect their operations and data breach response procedures. Lewis Brisbois' dedicated Data Privacy & Cybersecurity Team can help determine your obligations under the revised Massachusetts law.

Stay up to date on your jurisdiction's data breach notification statutes and security standards with the new Lewis Brisbois Cyber app, available in Apple and Android app stores, or check out our interactive Data Privacy Statute Map.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.