The Governor of Massachusetts recently signed new legislation amending the state’s already-existing data breach notification statute that, among other changes, now requires 18 months of free credit monitoring services to residents affected by a data breach and makes changes to required information on data breach notifications sent to affected consumers, the Massachusetts AG, and the Director of the Office of Consumer Affairs and Business Regulation.
Massachusetts already had a data breach notification statute that required an entity suffering a data breach to notify the AG and the Director of the 1) nature of the breach; 2) the number of residents of Massachusetts affected; and 3) any steps taken related to the incident. The Notification must now also include:
The affected party must also file a report with the AG and Director to certify that their credit monitoring services are compliant with the statutory requirements. The consumer-specific notification must contain the following information: 1) an individual’s right to a police report; 2) how an individual can request a security freeze on their credit report; 3) that there will be no charge for such security freeze; and 4) information regarding mitigation services to be provided pursuant to the data breach notification law. Such notification must be sent out as soon as practicable and without unreasonable delay, once an entity knows or has reason to know of a data breach.
Additionally, the new legislation requires the party suffering a data breach to provide free credit monitoring services to any resident for 18 months if the security breach included their social security number. The requirement is extended to 42 months if the entity that suffered the breach is a consumer reporting agency. This offer of free credit monitoring services cannot be waived by the affected consumer.