The Governor of Massachusetts recently signed House Bill No. 4806 into law, which will amend certain provisions of the state’s data breach notification law.  In addition to changing the information that must be included in notifications to regulators and individuals, the amendments will also require entities to provide eighteen months of free credit monitoring services following breaches involving Social Security numbers.  The amendments, which will enter into force on April 11, 2019, are discussed in greater detail below.

Free Credit Monitoring

The amendments to the breach notification law will require that entities “contract with a third party to provide” free credit monitoring services to impacted Massachusetts residents following breaches involving Social Security numbers.  In so doing, Massachusetts will join California, Connecticut, and Delaware as states requiring entities to provide free credit monitoring or identity theft protection services following certain types of breaches.  The Massachusetts amendments will require entities to provide such free services “for a period of not less than 18 months,” although consumer reporting agencies that experience such a breach must provide such services for a period of not less than 42 months.  The amendments will also require entities to provide instructions on how to sign up for such services to affected individuals and prohibit requiring an impacted resident to waive his or her private right of action as a condition of the offer of such services.

Updated Content Requirements for Breach Notifications

The amendments also updated Massachusetts’ requirements for content that must be included in breach notifications to state regulators and affected individuals.  Existing Massachusetts law requires entities that notify state residents pursuant to the Massachusetts breach notification statute to also notify the Massachusetts Attorney General and the Director of the Office of Consumer Affairs and Business Regulation (OCABR).  In addition to existing requirements for such notifications to include (i) the nature of the breach of security or unauthorized acquisition or use, (ii) the number of residents of the commonwealth affected by such incident at the time of notification, and (iii) any steps the person or agency has taken or plans to take relating to the incident, the amendments will now require these notifications to also include:

  1. The name and address of the person or agency that experienced the breach of security;
  2. Name and title of the person or agency reporting the breach of security, and their relationship to the person or agency that experienced the breach of security;
  3. The type of person or agency reporting the breach of security;
  4. The person responsible for the breach of security, if known;
  5. The type of personal information compromised, including, but not limited to, Social Security number, driver’s license number, financial account number, credit or debit card number, or other data;
  6. Whether the person or agency maintains a written information security program; and
  7. Whether the person or agency is updating the written information security program as part of any steps the person or agency has taken or plans to take relating to the incident.

In addition, the amendments will also require the notifying entity to “file a report” with the state Attorney General and OCABR “certifying that their credit monitoring services comply” with the amendments’ requirements for such services.  (Note that, although the statute does not require their use, both the Attorney General and OCABR provide online breach notification submission forms that will presumably be updated to reflect these new requirements).

The new requirements for a notifying entity to state whether it “maintains a written information security program” are particularly noteworthy in Massachusetts, which maintains one of the nation’s most detailed state data security laws.  The Massachusetts data security regulations (201 CMR 17.00 et seq.) include a requirement for any entity that owns or licenses personal information about a Massachusetts resident to “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts” and that contains certain “administrative, technical, and physical safeguards that are appropriate” to the entity’s circumstances.  Once implemented, the new amendments to the Massachusetts data breach notification requirements may function as a regulatory check on compliance with the state’s data security requirements and potentially expose notifying entities to additional regulatory scrutiny and legal risk if they have not complied with the requirement to implement a written information security program.

Separately, the amendments will also update the requirements for content to be included in notifications to affected individuals.  In addition to existing law, which requires notifications to affected individuals to include (i) an individual’s right to obtain a police report and (ii) how an individual requests a security freeze on the individual’s credit report and the necessary information to be provided when requesting the security freeze, the amendments will also require such notifications to include (iii) that there shall be no charge for a security freeze; and (iv) information regarding mitigation services to be provided pursuant to the Massachusetts data breach notification law (e.g. free credit monitoring for certain types of breaches).  In addition, if the entity that experienced the breach of security is “owned by another person or corporation,” the amendments will require notification to affected individuals to include the name of the “parent or affiliated corporation.”

Notification Timing Requirements

The amendments will also implement changes to notification timing requirements and public disclosure of notification materials.  Unlike other states’ breach notification laws, which may require notification within a certain number of days, Massachusetts’ breach notification law only requires notification “as soon as practicable and without unreasonable delay” once an entity “knows or has reason to know” of a breach of security, the acquisition or use of PII by an unauthorized person, or use of PII for an unauthorized purpose.  The amendments will not alter these timing requirements, but will clarify that entities cannot delay notifications required under the notification statute “on the grounds that the total number of residents affected is not yet ascertained.”

Public Disclosure of Notifications

Finally, the amendments will require the OCABR, which already publishes and periodically updates a spreadsheet of notifications it receives, to “make available electronic copies of the sample notice sent to consumers on its website and post such notice within 1 business day upon receipt.”  In addition, the OCABR must also instruct consumers on how they may file a public records request to obtain a copy of the notice provided to the Attorney General and the OCABR from the entity that experienced a breach of security.

Tags: breach notification, Credit Monitoring, Cybersecurity, Data Breach, Data Security, Legislation, Massachusetts
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less