Massachusetts Data Breach Notification law gets teeth | Legislation will “significantly amend” state’s data breach notification law.
Massachusetts Governor, Charlie Baker has signed new legislation that is expected to have a significant impact on the state’s data breach notification laws. The amendments will be effective as of April 11, 2019.
Perhaps the most significant amendments includes a new requirement to provide an offer of complimentary credit monitoring for “a period of not less than 18 months” when a personal data security incident involves a Massachusetts resident’s Social Security number. This new requirement aligns Massachusetts with Delaware and Connecticut, as states that require the offer of complimentary credit monitoring in such situations.
Data breach notification timing
Apparently there was no change to the timing of individual notice obligations, which remains “as soon as practicable and without unreasonable delay”. However, the new amendments require a rolling notification to individuals under certain circumstances:
A notice provided pursuant to this section shall not be delayed on grounds that the total number of residents affected is not yet ascertained. In such case, and where otherwise necessary to update or correct the information required, a person or agency shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information.
In addition, notices to individuals must now identify the name of the parent or affiliated corporation in cases where the organization affected by a breach of security is owned by another person or corporation.
Report breach to Consumer Affairs
Other notable updates are the types of information required to be provided to the Massachusetts Office of Attorney General and the Office of Consumer Affairs and Business Regulation, in the event of a security breach. In addition to the information required to be provided to the state regulators under the existing law, the amendments add a requirement to inform the state regulators “whether the person or agency maintains a written information security program.”
This new Massachusetts Data Breach Notification law requirement follows from existing Massachusetts regulation that obligates “every person that owns or licenses personal information about a resident of the Commonwealth [to] develop, implement, and maintain a comprehensive information security program.” 201 CMR § 17.03(1).
Further amendments require that a person affected by a breach of security involving their Social Security number “file a report with the attorney general and the director of consumer affairs and business regulation certifying their credit monitoring services comply with” the new requirement to offer complimentary credit monitoring services for the duration of at least 18 months.
More U.S. data privacy posts here
Sources and credits: Data Privacy Monitor