The Governor of Massachusetts recently signed House Bill No. 4806 into law, which will amend certain provisions of the state’s data breach notification law. In addition to changing the information that must be included in notifications to regulators and individuals, the amendments will also require entities to provide eighteen months of free credit monitoring services following breaches involving Social Security numbers. The amendments, which will enter into force on April 11, 2019, are discussed in greater detail below.
Free Credit Monitoring
The amendments to the breach notification law will require that entities “contract with a third party to provide” free credit monitoring services to impacted Massachusetts residents following breaches involving Social Security numbers. In so doing, Massachusetts will join California, Connecticut, and Delaware as states requiring entities to provide free credit monitoring or identity theft protection services following certain types of breaches. The Massachusetts amendments will require entities to provide such free services “for a period of not less than 18 months,” although consumer reporting agencies that experience such a breach must provide such services for a period of not less than 42 months. The amendments will also require entities to provide instructions on how to sign up for such services to affected individuals and prohibit requiring an impacted resident to waive his or her private right of action as a condition of the offer of such services.
Updated Content Requirements for Breach Notifications
The amendments also updated Massachusetts’ requirements for content that must be included in breach notifications to state regulators and affected individuals. Existing Massachusetts law requires entities that notify state residents pursuant to the Massachusetts breach notification statute to also notify the Massachusetts Attorney General and the Director of the Office of Consumer Affairs and Business Regulation (OCABR). In addition to existing requirements for such notifications to include (i) the nature of the breach of security or unauthorized acquisition or use, (ii) the number of residents of the commonwealth affected by such incident at the time of notification, and (iii) any steps the person or agency has taken or plans to take relating to the incident, the amendments will now require these notifications to also include:
- The name and address of the person or agency that experienced the breach of security;
- Name and title of the person or agency reporting the breach of security, and their relationship to the person or agency that experienced the breach of security;
- The type of person or agency reporting the breach of security;
- The person responsible for the breach of security, if known;
- The type of personal information compromised, including, but not limited to, Social Security number, driver’s license number, financial account number, credit or debit card number, or other data;
- Whether the person or agency maintains a written information security program; and
- Whether the person or agency is updating the written information security program as part of any steps the person or agency has taken or plans to take relating to the incident.
In addition, the amendments will also require the notifying entity to “file a report” with the state Attorney General and OCABR “certifying that their credit monitoring services comply” with the amendments’ requirements for such services. (Note that, although the statute does not require their use, both the Attorney General and OCABR provide online breach notification submission forms that will presumably be updated to reflect these new requirements).
The new requirements for a notifying entity to state whether it “maintains a written information security program” are particularly noteworthy in Massachusetts, which maintains one of the nation’s most detailed state data security laws. The Massachusetts data security regulations (201 CMR 17.00 et seq.) include a requirement for any entity that owns or licenses personal information about a Massachusetts resident to “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts” and that contains certain “administrative, technical, and physical safeguards that are appropriate” to the entity’s circumstances. Once implemented, the new amendments to the Massachusetts data breach notification requirements may function as a regulatory check on compliance with the state’s data security requirements and potentially expose notifying entities to additional regulatory scrutiny and legal risk if they have not complied with the requirement to implement a written information security program.
Separately, the amendments will also update the requirements for content to be included in notifications to affected individuals. In addition to existing law, which requires notifications to affected individuals to include (i) an individual’s right to obtain a police report and (ii) how an individual requests a security freeze on the individual’s credit report and the necessary information to be provided when requesting the security freeze, the amendments will also require such notifications to include (iii) that there shall be no charge for a security freeze; and (iv) information regarding mitigation services to be provided pursuant to the Massachusetts data breach notification law (e.g. free credit monitoring for certain types of breaches). In addition, if the entity that experienced the breach of security is “owned by another person or corporation,” the amendments will require notification to affected individuals to include the name of the “parent or affiliated corporation.”
Notification Timing Requirements
The amendments will also implement changes to notification timing requirements and public disclosure of notification materials. Unlike other states’ breach notification laws, which may require notification within a certain number of days, Massachusetts’ breach notification law only requires notification “as soon as practicable and without unreasonable delay” once an entity “knows or has reason to know” of a breach of security, the acquisition or use of PII by an unauthorized person, or use of PII for an unauthorized purpose. The amendments will not alter these timing requirements, but will clarify that entities cannot delay notifications required under the notification statute “on the grounds that the total number of residents affected is not yet ascertained.”
Public Disclosure of Notifications
Finally, the amendments will require the OCABR, which already publishes and periodically updates a spreadsheet of notifications it receives, to “make available electronic copies of the sample notice sent to consumers on its website and post such notice within 1 business day upon receipt.” In addition, the OCABR must also instruct consumers on how they may file a public records request to obtain a copy of the notice provided to the Attorney General and the OCABR from the entity that experienced a breach of security.