July 23, 2019

Massachusetts New Data Breach Laws: Are You Compliant?

Massachusetts amended their state’s data breach notification law Mass. Gen. Laws Ch. 93H, § 1-6 on January 10, 2019.  These additional requirements include changes to the notice to the regulators and credit monitoring obligations when Social Security numbers are disclosed.  These amendments became effective on April 11, 2019.

Credit Monitoring Requirements

Companies are now required to provide eighteen (18) months of credit monitoring at no cost to affected individuals.  A consumer reporting agency that was subjected to a breach must provide credit monitoring services for at least 42 months.  Moreover, these credit monitoring services must be provided by a third party, and cannot be provided by the entity that experienced the breach to be in compliance with these amended laws.  The entity must certify to the Massachusetts Attorney General and Director of the Office of Consumer Affairs and Business Regulation (“OCABR”) that the credit monitoring services offered are compliant with this new law.

A corporation must also identify a parent or affiliated corporation in their breach notice.  In this notice, the entity is prohibited from requesting an individual conditionally waiving their right to a private action upon accepting free credit monitoring services.

Updated Consumer Notice

Massachusetts law previously required that the notification letter to the impacted individuals include: (i) the nature of the breach of security or unauthorized acquisition or use, (ii) the number of residents of the Commonwealth affected by such incident at the time of notification, and (iii) any steps the person or agency has taken or plans to take relating to the incident.  The amended law now requires that the following content also be included in the notification:

  1. The name and address of the person or agency that experienced the breach of security;
  2. Name and title of the person or agency reporting the breach of security, and their relationship to the person or agency that experienced the breach of security;
  3. The type of person or agency reporting the breach of security;
  4. The person responsible for the breach of security, if known;
  5. The type of personal information compromised, including, but not limited to, Social Security number, driver's license number, financial account number, credit or debit card number, or other data;
  6. Whether the person or agency maintains a written information security program; and
  7. Whether the person or agency is updating the written information security program as part of any steps the person or agency has taken or plans to take relating to the incident.

The revised law also requires the company to inform the affected resident that there is no charge if an individual places a security freeze on his or her credit with a consumer reporting agency in response to the data breach.  If credit monitoring services are provided, the entity must also provide residents with all the necessary information to enroll in credit monitoring services.  The new amendments also require a company to identify the name of the parent or affiliated corporation if the company that experienced the breach is owned by a separate company.

Massachusetts requires breach notification “as soon as practicable and without unreasonable delay” once an entity “knows or has reason to know” of a breach of information, the acquisition or use of PII by an unauthorized person, or use of PII for an unauthorized purpose.  Other states require notification within a certain amount of days.  These new amendments do not require notification within a specific number of days, however, entities can no longer delay notification “on the grounds that the total number of residents affected is not yet ascertained” per the statute.  Therefore, this instructs entities to send notices on a rolling basis, if necessary.

New Government Notice

The company must also provide a copy of the notice to the Massachusetts Attorney General and OCABR.  The notice must also provide additional information, including the types of personal information compromised, persons responsible for the incident and whether the company maintains a written information security program.  The amendments also specify that the OCABR, who already periodically publishes a spreadsheet of the notices received from corporations, to “make available electronic copies of the sample notice sent to consumers on its website and post such notice within 1 business day upon receipt.”

Pursuant to Massachusetts data security regulation 201 CMR § 17.03, any entity that licenses or owns personal information of a Massachusetts resident is required to “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts” and that contains certain “administrative, technical, and physical safeguards that are appropriate” to the entity’s circumstances.  Therefore, these new amendments may serve as a regulatory check to ensure the company experiencing the breach is in compliance with the previously implemented statute and may be subjected to further scrutiny (or even fines) for failure to comply with this law.

Organizations and companies that possess personal information of Massachusetts residents must be prepared to be compliant with this new regulation.