As of April 11, 2019, Massachusetts will require organizations suffering a data breach that involves a resident’s social security number to provide credit monitoring services (CM Services) at no cost to the resident. If the organization is a consumer reporting agency, the CM Services must be provided for at least 42 months, while all other organizations must provide the CM Services for at least 18 months. The new law prohibits the organization from requiring a resident to waive a private right of action as a condition to the offer of the CM Services, and it requires the organization to certify to the Attorney General and the Director of Consumer Affairs and Business Regulation the organization’s compliance with the CM Services requirement.
The new law contains other important changes to breach notification requirements in Massachusetts, such as new content requirements, a prohibition on delaying notice due to the total number of affected residents not yet having been ascertained, and a requirement that the notice include the name of any parent or affiliated corporation that owns the organization. The new law also provides for the posting of breach-related information by the Massachusetts Office of Consumer Affairs and Business Regulation on the office’s website.