Massachusetts Amends Data Breach Notification Statute
The Governor of Massachusetts recently signed new legislation amending the state’s already-existing data breach notification statute that, among other changes, now requires 18 months of free credit monitoring services to residents affected by a data breach and makes changes to required information on data breach notifications sent to affected consumers, the Massachusetts AG, and the Director of the Office of Consumer Affairs and Business Regulation.
Massachusetts already had a data breach notification statute that required an entity suffering a data breach to notify the AG and the Director of the 1) nature of the breach; 2) the number of residents of Massachusetts affected; and 3) any steps taken related to the incident. The Notification must now also include:
- The name and address of the person or agency that experienced the breach of security;
- Name and title of the person or agency reporting the breach of security, and their relationship to the person or agency that experienced the breach;
- The type of person or agency reporting the breach;
- The person responsible for the breach, if known;
- The type of personal information compromised, including but not limited to Social Security number, driver’s license number, financial account number, credit or debit card number, or other data;
- Whether the person or agency maintains a written information security program; and
- Whether the person or agency is updating the written information security program as part of any steps the person or agency has taken or plans to take relating to the incident.
The affected party must also file a report with the AG and Director to certify that their credit monitoring services are compliant with the statutory requirements. The consumer-specific notification must contain the following information: 1) an individual’s right to a police report; 2) how an individual can request a security freeze on their credit report; 3) that there will be no charge for such security freeze; and 4) information regarding mitigation services to be provided pursuant to the data breach notification law. Such notification must be sent out as soon as practicable and without unreasonable delay, once an entity knows or has reason to know of a data breach.
Additionally, the new legislation requires the party suffering a data breach to provide free credit monitoring services to any resident for 18 months if the security breach included their social security number. The requirement is extended to 42 months if the entity that suffered the breach is a consumer reporting agency. This offer of free credit monitoring services cannot be waived by the affected consumer.