New Massachusetts Law Creates More Stringent Notification Requirements for Data Breach Incidents
While we’ve all been busy keeping an eye on California’s CCPA mess and the brewing federal privacy legislation, Massachusetts enacted some amendments to its already stringent consumer-protection oriented privacy laws. (See MGL c.93H)
As a result of the amendments, effective April 11, 2019, Massachusetts’ general breach notification statute will include the following new requirements:
- Consent to Access Credit Reports – Before getting hold of a consumer’s credit report for most non-credit purposes, third parties must obtain the consumer’s consent. In the process, they also need to disclose the reason they’re seeking access.
- Security Freezes – Consumer reporting agencies can no longer charge a fee to consumers to place, lift, or remove a security freeze on their credit reports.
- Credit Monitoring Services – Companies experiencing a security breach involving social security numbers must offer affected MA residents free credit monitoring services for at least 18 months (or 42 months if the company is a consumer reporting agency). Additionally, companies that experience a security breach must file a report with the Attorney General and Department of Consumer Affairs and Business Regulation certifying their credit monitoring services comply with state law.
- No Waiver – Individuals affected by breaches can no longer be required to waive their private right of action as a condition to getting credit monitoring services.
- Breach Notice Obligations – Notice to the Attorney General and Department of Consumer Affairs and Business Regulation must include additional information such as the person responsible for the breach (if known), the type of personal information compromised, and whether the entity has a written information security program in place. Notice to consumers must include the name of the parent or affiliated corporation if the entity that experienced the breach is owned by another entity.
- No Delay in Notice to Residents – Notice to residents cannot be delayed on the grounds that the total number of residents affected has not been ascertained. If and when additional information is obtained, additional notice must be provided as soon as practicable and without unreasonable delay.
It’s not clear how these requirements will work in practice, but for those whose business activities expose them to Massachusetts law, existing incident response and management policies should be revisited by the end of March to make sure they reflect these new obligations.