[BreachExchange] Massachusetts Data Breach Changes – Coming April 11!

[Destry Winant]

https://www.natlawreview.com/article/massachusetts-data-breach-changes-coming-april-11

Significant changes to the Massachusetts data breach notification law
take effect on April 11, 2019.   You can view the amendment here. If
you haven’t looked at your written information security plan, or WISP,
in a while, now’s the time to dust it off.  If you still haven’t
gotten around to implementing one as required by 201 CMR 17 back in
2010, now’s the time to get going. The revisions to Chapter 93H
requires more detailed notifications to both the Massachusetts AG and
the Office of Consumer Affairs and Business Regulation (OCABR) and to
the affected individuals.  It also requires that entities experiencing
a security breach provide credit monitoring to individuals if a breach
includes the loss of a Social Security number.

Notice to Affected Individuals

Chapter 93H requires that notice of a security breach be provided “as
soon as practicable and without unreasonable delay.” With the “Act
Relative to Consumer Protection from Security Breaches”, reporting of
a Massachusetts breach to individuals may require providing
individuals with multiple (repeat) notifications if after the initial
notice, the entity discovers information that updates or corrects the
information originally provided.  Also, the statute specifically
states that “[a] notice provided pursuant to this section shall not be
delayed on grounds that the total number of residents affected is not
yet ascertained.” (emphasis added) The statute also sets out
additional content categories that notices to Massachusetts residents
will be required to contain.  We recommend reviewing your template for
breach response, as the includes a new list of required elements for
the individual notice. Much of the information added to the statute
has been included in individual notices as a matter of course, but
given that it is now statutory, templates should be reviewed and
revised accordingly.

Notices to the AG and OCABR

The revisions require some unique reporting requirements, not the
least of which is that a breached entity is required to identify the
person who caused the breach, if known.  You’ll also be required to
disclose to the regulators whether you have a WISP, and whether you’ve
amended your WISP as a result of the incident.  Given that entities
that use, store, own or license personal information of residents of
the Commonwealth have been required to implement and maintain a WISP
since 2010, this gives Massachusetts regulators a tool to monitor
compliance, and perhaps to pursue enforcement actions for failure to
comply which may have resulted in (or contributed to) a security
breach. Also, if the breached entity is a subsidiary, the new statute
requires that notice to the regulators (and to individuals) also name
the parent of the breached entity.

Credit Monitoring

Massachusetts joins California, Connecticut, and Delaware in requiring
that a breached entity offer third-party credit monitoring services to
impacted individuals if Social Security numbers are compromised.   The
difference here is that Massachusetts now requires 18 months of credit
monitoring services be provided, as opposed to statutes in Connecticut
and Delaware which require 12 months (although state regulators have
been expecting that 2 years of credit monitoring be provided).
California law requires credit monitoring for “not less than 12
months.” We recommend that companies check with their cyberliability
carrier to ensure that they have at least 18 months (or as otherwise
required by law or regulatory authority) of credit monitoring services
in the event of a breach.