Massachusetts Expands Its Breach Notification Requirements: Are You Ready?
As of April 11, 2019, Massachusetts data breach victims will be entitled to enhanced rights and protections under An Act Relative To Consumer Protection From Security Breaches.
Any company that deals with the personal information of Massachusetts residents should be mindful of these regulatory changes and update its data security policies and practices—importantly, including its required Written Information Security Program—to reflect these changes in advance of the April 11, 2019 effective date.
Highlights of the regulatory change include:
As your organization prepares to incorporate these changes into your
incident response plans, members of any breach response teams should
receive updated training to ensure that the regulatory required
information is shared with the appropriate parties. In addition, if your
company handles SSNs of Massachusetts residents, you should identify a
consumer credit monitoring service to engage in the event of a breach.
These changes are a continuation of Massachusetts’ history of being at the forefront of data protection law development in the U.S. Accordingly, it would not be surprising if other states followed suit in amending their respective data protection laws to enhance consumer rights and breached party reporting requirements.
Any company that deals with the personal information of Massachusetts residents should be mindful of these regulatory changes and update its data security policies and practices—importantly, including its required Written Information Security Program—to reflect these changes in advance of the April 11, 2019 effective date.
Highlights of the regulatory change include:
| Effective April 11, 2019 | |
| Data Breach Regulations | |
| Consumer Notification Requirement | Notice
must include: (i) resident’s right to a police report; (ii) how
resident may request a security freeze; (iii) that there shall be no
charge for a security freeze; and (iv) mitigation services to be
provided. A sample copy of the notice sent to consumer must be sent
to the attorney general and the office of consumer affairs and business
regulation. Mass. Gen. L. c. 93H § 3(b) |
| Consumer Credit Monitoring Services | Breached
party is required to provide at least 18 months free-of-charge to
Massachusetts residents if breach includes a social security number.
Requirement is increased to 42 months if the breached party is a credit
monitoring services. Breached party may not require a resident to
waive the resident’s right to a private right of action as a condition
of the offer of credit monitoring services Mass. Gen. L. c. 93H § 3A |
| State Regulators Notification Requirement (attorney general and said director, and consumer reporting agencies or state agencies) | Notice must include (i) nature of breach; (ii) number of Massachusetts residents affected by breach; (iii) name and address of breached party; (iv) name and title of party reporting the breach and their relationship to the breached party; (v) type of person or agency reporting the breach; (vi) the person responsible for the breach of security, if known; (vii) type of personal information compromised; (viii) whether the breached party maintains a written information security program; and (ix) any steps the breached party has taken or plans to take relating to the incident; and (x) a report with the attorney general and the director of consumer affairs and business regulation certifying that the breached party’s credit monitoring services comply with Massachusetts regulations. Mass. Gen. L. c. 93H § 3(b) |
| Consumer Report Regulations | |
| Consent from Consumers Before Obtaining their Reports | Nonwaivable
requirement that third parties obtain the prior consent of a consumer
AND disclose the reason for obtaining the consumer report to the
consumer prior to obtaining consent, before obtaining a consumer report.
*note: there are limited exceptions to these requirements for existing accounts. Mass. Gen. L. c. 93 § 51B |
| Consumers’ Right to Information from Consumer Reporting Agency | Upon
request and identification of the consumer, consumer reporting agencies
must inform consumers of certain information in their consumer reports
such as: · The nature, contents and substance of all non-medical
information in its file on the consumer at the time of the request and
the source of such information; · The sources of all credit information obtained through routine credit reporting or through any other credit reporting techniques in the file at the time of the request; · The recipients of any consumer report on the consumer which it has furnished for employment purposes within the 2-year period preceding the request, and for any other purpose within the 6-month period preceding the request. Mass. Gen. L. c. 93 § 56a |
| Consumer Reporting Agency’s Obligation to Advise Consumers of Rights | Advise the consumer of the consumer’s rights with each written disclosure, or in response to a request by the consumer to be advised as to the consumer’s rights. See section for prescribed language. Mass. Gen. L. c. 93, § 56b |
| Requirements When Providing Paid Security Freeze Products | A consumer reporting agency shall not knowingly offer a paid product to prevent unauthorized access or restrict access to a consumer’s credit unless at the time of transaction, it notifies the consumer of the availability of obtaining a security freeze without charge AND provides information to the consumer on how to obtain a security freeze. Mass. Gen. L. c. 93, § 62B |
These changes are a continuation of Massachusetts’ history of being at the forefront of data protection law development in the U.S. Accordingly, it would not be surprising if other states followed suit in amending their respective data protection laws to enhance consumer rights and breached party reporting requirements.
