The Massachusetts governor recently signed Bill H.4806, which becomes effective April 10, 2019. Among other things, the bill amends the Massachusetts breach notification law to require that a notice to regulators includes whether an organization maintains a written information security program and other specified content.
If notice must be provided to the Massachusetts attorney general, the Massachusetts director of consumer affairs and business regulation (Massachusetts director), and any consumer reporting agency, such notice must include the following.
Nature of the breach or unauthorized acquisition or use
Number of Massachusetts residents affected by the incident at the time of notification
Name and address of the organization that experienced the breach
Name and title regarding the organization reporting the breach and the relationship to the organization that experienced the breach
Type of organization reporting the breach
The organization responsible for the breach, if known
Type(s) of personal information compromised, including without limitation, Social Security number, driver's license number, financial account number, credit or debit card number, or other data
Whether the organization maintains a written information security program (WISP)
Any steps the organization has taken or plans to take relating to the incident, including updating the WISP
As practicable and as not to impede an active investigation by the Massachusetts attorney general or other law enforcement agency, the Massachusetts director will instruct Massachusetts residents on how they may file a public records request to obtain a copy of a notice provided to the Massachusetts attorney general and the Massachusetts director from the organization that experienced a breach.
In addition, an organization that experienced a breach must file a report with the Massachusetts attorney general and the Massachusetts director certifying that its credit monitoring services comply with the credit monitoring requirements described below.
If notice must be provided to any Massachusetts resident, such notice must include the following.
The Massachusetts resident's right to obtain a police report
How a Massachusetts resident may request a security freeze and the necessary information to be provided when requesting the security freeze
That there will be no charge for a security freeze
Mitigation services to be provided without including the nature of the breach or unauthorized acquisition or use, or the number of Massachusetts residents affected by said breach or unauthorized access or use
If an organization that experienced a breach is owned by another person or corporation, the notice must include the name of the parent or affiliated corporation.
The organization that experienced the breach also must provide a sample copy of the notice that it sent to any Massachusetts resident to the Massachusetts attorney general and the Massachusetts director.
Credit Monitoring Requirements
If an organization knows or has reason to know that said organization experienced an incident that requires notice and such breach includes a Social Security number, the organization must contract with a third party to offer to each Massachusetts resident whose Social Security number was disclosed in the breach or is reasonably believed to have been disclosed in the breach credit monitoring services at no cost to said Massachusetts resident for a period of no less than 18 months (42 months in the case of a consumer reporting agency). These contracts must not include reciprocal agreements for services in lieu of payment or fees.
The organization must provide all information necessary for the Massachusetts resident to enroll in credit monitoring services and include information on how the Massachusetts resident may place a security freeze on the Massachusetts resident's consumer credit report.
Finally, an organization that experienced a breach must not require a Massachusetts resident to waive their right to a private right of action as a condition of the offer of credit monitoring services.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI.
Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion.
If such advice is needed, consult with your attorney, accountant, or other qualified adviser.