Changes to Massachusetts Law on Security Breaches

Nutter McClennen & Fish LLP

On April 11, 2019, significant revisions to Massachusetts’ data breach law – Chapter 93H – take effect. The revised statute requires more detailed notifications to both the Commonwealth and affected consumers, and mandates that breached entities offer consumer credit monitoring to affected individuals after certain types of breaches, a practice that has become common but was not previously required.

Additional Notice Requirements: The revised statute maintains the core notification requirement for an entity that owns or licenses personal data that has suffered a data breach involving the personal information of a Massachusetts resident. As before, the entity must notify the Massachusetts Attorney General, the Director of Consumer Affairs and Business Regulation, and the affected individuals. The amendment to the statute adds more information that must be provided in these notices. Key examples include:

  • Whether the entity maintains a written information security program (WISP)
  • The name and address of the entity that experienced the breach of security
  • The name and title of the entity reporting the breach of security and their relationship to the entity that experienced the breach of security
  • The type of entity reporting the breach of security
  • The name of the parent of the entity that experienced a breach, if any exists
  • If known, the person responsible for the breach of security
  • Mitigation services to be provided pursuant to the law
  • The type of personal information compromised, such as Social Security number, driver’s license number, financial account number, credit or debit card number, or other data
  • As with the earlier version of the statute, the notice must include any steps the entity has taken or plans to take in response to the incident. The revised statute now specifies that one of those “steps” ought to include updating the WISP.

Required Credit Monitoring Services: If the breach included the loss of Social Security numbers, the revised statute requires breached entities to offer credit monitoring services to affected individuals. The statute has several requirements for this service, the most important of which is that it must be for a period of at least 18 months for most entities and 42 months if the breached entity is a consumer reporting agency. A report certifying compliance with the credit monitoring services must also be filed with the Attorney General and the Director of Consumer Affairs and Business Regulation.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Nutter McClennen & Fish LLP | Attorney Advertising

Written by:

Nutter McClennen & Fish LLP

Nutter McClennen & Fish LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.