[BreachExchange] Massachusetts Amends Data Breach Notification Statute

[Destry Winant]

https://www.jdsupra.com/legalnews/massachusetts-amends-data-breach-33248/

The Governor of Massachusetts recently signed new legislation amending
the state’s already-existing data breach notification statute that,
among other changes, now requires 18 months of free credit monitoring
services to residents affected by a data breach and makes changes to
required information on data breach notifications sent to affected
consumers, the Massachusetts AG, and the Director of the Office of
Consumer Affairs and Business Regulation.

Massachusetts already had a data breach notification statute that
required an entity suffering a data breach to notify the AG and the
Director of the 1) nature of the breach; 2) the number of residents of
Massachusetts affected; and 3) any steps taken related to the
incident.  The Notification must now also include:

- The name and address of the person or agency that experienced the
breach of security;
- Name and title of the person or agency reporting the breach of
security, and their relationship to the person or agency that
experienced the breach;
- The type of person or agency reporting the breach;
- The person responsible for the breach, if known;
- The type of personal information compromised, including but not
limited to Social Security number, driver’s license number, financial
account number, credit or debit card number, or other data;
- Whether the person or agency maintains a written information
security program; and
- Whether the person or agency is updating the written information
security program as part of any steps the person or agency has taken
or plans to take relating to the incident.

The affected party must also file a report with the AG and Director to
certify that their credit monitoring services are compliant with the
statutory requirements.  The consumer-specific notification must
contain the following information: 1) an individual’s right to a
police report; 2) how an individual can request a security freeze on
their credit report; 3) that there will be no charge for such security
freeze; and 4) information regarding mitigation services to be
provided pursuant to the data breach notification law. Such
notification must be sent out as soon as practicable and without
unreasonable delay, once an entity knows or has reason to know of a
data breach.

Additionally, the new legislation requires the party suffering a data
breach to provide free credit monitoring services to any resident for
18 months if the security breach included their social security
number.  The requirement is extended to 42 months if the entity that
suffered the breach is a consumer reporting agency.  This offer of
free credit monitoring services cannot be waived by the affected
consumer.