Massachusetts Expands Its Breach Notification Requirements: Are You Ready?

As of April 11, 2019, Massachusetts data breach victims will be entitled to enhanced rights and protections under An Act Relative To Consumer Protection From Security Breaches.

Any company that deals with the personal information of Massachusetts residents should be mindful of these regulatory changes and update its data security policies and practices—importantly, including its required Written Information Security Program—to reflect these changes in advance of the April 11, 2019 effective date.

Highlights of the regulatory change include:

Effective April 11, 2019

Data Breach Regulations

Consumer Notification Requirement Notice must include: (i) resident’s right to a police report; (ii) how resident may request a security freeze; (iii) that there shall be no charge for a security freeze; and (iv) mitigation services to be provided.

A sample copy of the notice sent to consumer must be sent to the attorney general and the office of consumer affairs and business regulation.

Mass. Gen. L. c. 93H § 3(b)

Consumer Credit Monitoring Services Breached party is required to provide at least 18 months free-of-charge to Massachusetts residents if breach includes a social security number. Requirement is increased to 42 months if the breached party is a credit monitoring services.

Breached party may not require a resident to waive the resident’s right to a private right of action as a condition of the offer of credit monitoring services

Mass. Gen. L. c. 93H § 3A

State Regulators Notification Requirement

(attorney general and said director, and consumer reporting agencies or state agencies)

Notice must include (i) nature of breach; (ii) number of Massachusetts residents affected by breach; (iii) name and address of breached party; (iv) name and title of party reporting the breach and their relationship to the breached party; (v) type of person or agency reporting the breach; (vi) the person responsible for the breach of security, if known; (vii) type of personal information compromised; (viii) whether the breached party maintains a written information security program; and (ix) any steps the breached party has taken or plans to take relating to the incident; and (x) a report with the attorney general and the director of consumer affairs and business regulation certifying that the breached party’s credit monitoring services comply with Massachusetts regulations.

Mass. Gen. L. c. 93H § 3(b)

Consumer Report Regulations

Consent from Consumers Before Obtaining their Reports Nonwaivable requirement that third parties obtain the prior consent of a consumer AND disclose the reason for obtaining the consumer report to the consumer prior to obtaining consent, before obtaining a consumer report.

*note: there are limited exceptions to these requirements for existing accounts.

Mass. Gen. L. c. 93 § 51B

Consumers’ Right to Information from Consumer Reporting Agency Upon request and identification of the consumer, consumer reporting agencies must inform consumers of certain information in their consumer reports such as:

·   The nature, contents and substance of all non-medical information in its file on the consumer at the time of the request and the source of such information;

·   The sources of all credit information obtained through routine credit reporting or through any other credit reporting techniques in the file at the time of the request;

·   The recipients of any consumer report on the consumer which it has furnished for employment purposes within the 2-year period preceding the request, and for any other purpose within the 6-month period preceding the request.

Mass. Gen. L. c. 93 § 56a

Consumer Reporting Agency’s Obligation to Advise Consumers of Rights Advise the consumer of the consumer’s rights with each written disclosure, or in response to a request by the consumer to be advised as to the consumer’s rights.  See section for prescribed language.

Mass. Gen. L. c. 93, § 56b


Requirements When Providing Paid Security Freeze Products A consumer reporting agency shall not knowingly offer a paid product to prevent unauthorized access or restrict access to a consumer’s credit unless at the time of transaction, it notifies the consumer of the availability of obtaining a security freeze without charge AND provides information to the consumer on how to obtain a security freeze.

Mass. Gen. L. c. 93, § 62B

As your organization prepares to incorporate these changes into your incident response plans, members of any breach response teams should receive updated training to ensure that the regulatory required information is shared with the appropriate parties.  In addition, if your company handles SSNs of Massachusetts residents, you should identify a consumer credit monitoring service to engage in the event of a breach.

These changes are a continuation of Massachusetts’ history of being at the forefront of data protection law development in the U.S.  Accordingly, it would not be surprising if other states followed suit in amending their respective data protection laws to enhance consumer rights and breached party reporting requirements.