Massachusetts Amends Data Breach Notification Statute

Weiner Brodsky Kider PC

Weiner Brodsky Kider PC

The Governor of Massachusetts recently signed new legislation amending the state’s already-existing data breach notification statute that, among other changes, now requires 18 months of free credit monitoring services to residents affected by a data breach and makes changes to required information on data breach notifications sent to affected consumers, the Massachusetts AG, and the Director of the Office of Consumer Affairs and Business Regulation.

Massachusetts already had a data breach notification statute that required an entity suffering a data breach to notify the AG and the Director of the 1) nature of the breach; 2) the number of residents of Massachusetts affected; and 3) any steps taken related to the incident.  The Notification must now also include:

  • The name and address of the person or agency that experienced the breach of security;
  • Name and title of the person or agency reporting the breach of security, and their relationship to the person or agency that experienced the breach;
  • The type of person or agency reporting the breach;
  • The person responsible for the breach, if known;
  • The type of personal information compromised, including but not limited to Social Security number, driver’s license number, financial account number, credit or debit card number, or other data;
  • Whether the person or agency maintains a written information security program; and
  • Whether the person or agency is updating the written information security program as part of any steps the person or agency has taken or plans to take relating to the incident.

The affected party must also file a report with the AG and Director to certify that their credit monitoring services are compliant with the statutory requirements.  The consumer-specific notification must contain the following information: 1) an individual’s right to a police report; 2) how an individual can request a security freeze on their credit report; 3) that there will be no charge for such security freeze; and 4) information regarding mitigation services to be provided pursuant to the data breach notification law. Such notification must be sent out as soon as practicable and without unreasonable delay, once an entity knows or has reason to know of a data breach.

Additionally, the new legislation requires the party suffering a data breach to provide free credit monitoring services to any resident for 18 months if the security breach included their social security number.  The requirement is extended to 42 months if the entity that suffered the breach is a consumer reporting agency.  This offer of free credit monitoring services cannot be waived by the affected consumer.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Weiner Brodsky Kider PC | Attorney Advertising

Written by:

Weiner Brodsky Kider PC

Weiner Brodsky Kider PC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.