The Governor of Massachusetts has signed in a new law that updates the state’s existing data breach laws.
Massachusetts Governor Charlie Baker signed the law, named “An Act relative to consumer protection from security breaches” on January 10, 2019. It will come into effect in April 2019.
One of the changes introduced by the law is the removal of fees charged by credit reporting agencies for security disclosures and freezes in consumer credit reports. However, the most significant changes introduced by the law are in how it will require businesses and organisations to handle data breaches and other such information security incidents.
In Massachusetts, a breach is defined as the unauthorised acquisition or use of sensitive personal information that carries a substantial risk of identity theft or fraud. The law states that an organisation which suffers a data breach must issue a notification if certain types of data is compromised during the breach, in addition to individual’s first name and last name or first initial and last name and Social Security Number. The types of data specified in the breach notification rule include driver’s license number, state issued ID card number, and financial information.
The theft of any of the above information puts an individual at a heightened risk of identity fraud, which usually results in some sort of financial loss. The consequences of such a crime can be devastating. It is hoped that the changes in Massachusetts state law may help individuals in the aftermath of a data breach better mitigate that risks of becoming a victim of fraud.
The new law does not explicitly mention a timescale on which data breach notifications should be sent to affected individuals. It states that, once a breach has been identified, breach notification letters must be sent “as soon as is practicable and without unreasonable delay”. This is unlike other data protection laws; the Health Insurance Portability and Accountability Act (HIPAA) stipulates that breach notification letters must be sent within 60 days of the breach being discovered. The EU’s General Data Protection Regulation (GDPR) states that breach notifications should be sent “without undue delay”.
Under the new law, individuals and companies that have experienced a data breach can no longer wait until the total number of individuals impacted by the breach has been determined to notify those affected. The legislation states “In such case, and where otherwise necessary to update or correct the information required, a person or agency shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information.”
One notable update to Massachusetts data breach notification law is the requirement to offer breach victims complimentary credit monitoring services, as is the case in Connecticut and Delaware. The minimum term for complimentary credit monitoring services is 18 months or, in the case of a consumer reporting agency, a minimum of 42 months.
A significant change introduced by the new law is that organisations that experience a data breach will be required to “contract with a third party to offer to each resident whose social security number was disclosed in the breach of security or is reasonably believed to have been disclosed in the breach of security, credit monitoring services at no cost to said resident for a period of not less than 18 months.” The only other states to have such a law that requires organisations to offer credit-monitoring services are Delaware and Connecticut. If the company involved in the data breach is a consumer reporting agency, the free credit monitoring services will be extended to “a period of not less than 42 months.”
Notifications are required to be issued to all individuals impacted by the breach, the Office of Consumer Affairs and Business Regulation, and the Massachusetts Attorney General’s Office.
The Office of Consumer Affairs and Business Regulation and the Attorney General’s Office must be provided with a detailed description of the nature and circumstances of the breach, the number of Massachusetts residents affected, the steps that have been taken relative to the security breach, steps that will be taken in the future in response to the breach, and whether law enforcement is investigating the breach. If the breach has been experienced by a parent company or affiliated organisation, the name of that company must be detailed in the notification.
Further information can be found at Requirements for Data Breach Notifications on the Massachusetts’s government website.