Massachusetts Enhances Its Data Breach Notification Law

The amended law calls for additional disclosures in notifications to regulators and affected residents and requires businesses to provide complimentary credit monitoring services to residents whose social security number may have been compromised in a breach.

Background

Similar to breach notification laws across the United States, the existing data breach notification law in Massachusetts generally sets forth rules regarding the timing and content of notifications in the wake of a “breach of security” or unauthorized acquisition or use of a resident’s “personal information.” In Massachusetts, “personal information” is limited to a resident’s name in combination with either (i) a social security number, (ii) a driver’s license number, or (iii) a financial account or credit or debit card number. A “breach of security” is the unauthorized acquisition or use of data “capable of compromising the security, confidentiality, or integrity of personal information” maintained by an entity that “creates a substantial risk of identity theft or fraud against a resident of the commonwealth.”

Unlike some other state laws, which require notification within a certain number of days, Massachusetts requires notification “as soon as practicable and without unreasonable delay” once an entity “knows or has reason to know” of a breach. Two types of notifications are required: one to affected residents and one to the state Attorney General and Office of Consumer Affairs and Business Regulation (OCABR).

The Attorney General has the power to bring suit to remedy violations of the law. The court may issue injunctive orders and require payment of a civil penalty of up to $5,000 for each violation and the costs of investigation and litigation, including reasonable attorneys’ fees.

In addition to the breach notification law, existing regulations in Massachusetts address data governance and privacy. For example, the OCABR has adopted regulations requiring that every company that owns or licenses personal information about a Massachusetts resident develop, implement, and maintain a written information security program (WISP).

Updated Breach Notification Requirements 

Notice to Attorney General and OCABR. In addition to pre-existing requirements that the Attorney General and OCABR be notified of (i) the nature of the breach, (ii) the number of residents affected at the time of notification, and (iii) any steps the entity has taken or plans to take relating to the incident, the notice must now also include:

1. The name and address of the entity that experienced the breach;
2. The name and title of the person reporting the breach and their relationship to the breached entity;
3. The type of entity reporting the breach;
4. The person responsible for the breach, if known;
5. The type of personal information compromised (e.g., social security number, driver’s license number, financial account or payment card number); and
6. Whether the entity maintains a WISP, including whether the WISP has been or will be updated as a result of the incident.

Notice to Affected Residents. Consistent with the prior version of the law, notifications to affected residents must include the resident’s right to obtain a police report and how they may place a security freeze on their credit report. In addition, the amendments require that the notice disclose:

1. That there is no charge for a security freeze (which is now the case pursuant a 2018 federal law);
2. Any mitigation services to be provided pursuant to the new credit monitoring requirements; and
3. If the breached entity is owned by another person or entity, the name of the parent or affiliated corporation. 

The amendments also require rolling notices to residents while businesses investigate the scope of a breach, as companies may no longer delay notice “on the grounds that the total number of residents affected is not yet ascertained.”

Complimentary Credit Monitoring

With the new amendments, Massachusetts joins California, Connecticut, and Delaware as the only states to require free credit monitoring services to breach victims. If a breach includes a social security number, the breached entity must contract with a third party to offer a minimum of 18 months of free credit monitoring services to each resident whose social security number may have been disclosed. The minimum period of credit monitoring services is extended to 42 months if the breached entity is a consumer reporting agency. The breached entity must also file a report with the Attorney General and OCABR certifying that their credit monitoring services comply with the new requirements.

Key Takeaways

Under the amended law, businesses experiencing a data breach may now incur additional expenses to pay for free credit monitoring and must disclose more information more quickly in their breach notifications. The obligation to disclose the existence of a WISP is especially noteworthy, as it suggests regulators may be more proactive in scrutinizing those that fail to maintain a WISP in compliance with Massachusetts law. Businesses without a WISP or with an outdated WISP should consult legal counsel to bring their security program into compliance.