Expert Commentary

Massachusetts Amends Breach Notification Law

The Massachusetts governor recently signed Bill H.4806, which becomes effective April 10, 2019. Among other things, the bill amends the Massachusetts breach notification law to require that a notice to regulators includes whether an organization maintains a written information security program and other specified content.


Cyber and Privacy Risk and Insurance
January 2019

This amendment also describes Massachusetts resident notice content and credit monitoring requirements. For more information about written information security programs, see the 201 CMR 17: Standards for the protection of personal information of residents of the Commonwealth.

Regulator Notice Content Requirements

If notice must be provided to the Massachusetts attorney general, the Massachusetts director of consumer affairs and business regulation (Massachusetts director), and any consumer reporting agency, such notice must include the following.

  • Nature of the breach or unauthorized acquisition or use
  • Number of Massachusetts residents affected by the incident at the time of notification
  • Name and address of the organization that experienced the breach
  • Name and title regarding the organization reporting the breach and the relationship to the organization that experienced the breach
  • Type of organization reporting the breach
  • The organization responsible for the breach, if known
  • Type(s) of personal information compromised, including without limitation, Social Security number, driver's license number, financial account number, credit or debit card number, or other data
  • Whether the organization maintains a written information security program (WISP)
  • Any steps the organization has taken or plans to take relating to the incident, including updating the WISP

As practicable and as not to impede an active investigation by the Massachusetts attorney general or other law enforcement agency, the Massachusetts director will instruct Massachusetts residents on how they may file a public records request to obtain a copy of a notice provided to the Massachusetts attorney general and the Massachusetts director from the organization that experienced a breach.

In addition, an organization that experienced a breach must file a report with the Massachusetts attorney general and the Massachusetts director certifying that its credit monitoring services comply with the credit monitoring requirements described below.

Massachusetts Resident Notice Content Requirements

If notice must be provided to any Massachusetts resident, such notice must include the following.

  • The Massachusetts resident's right to obtain a police report
  • How a Massachusetts resident may request a security freeze and the necessary information to be provided when requesting the security freeze
  • That there will be no charge for a security freeze
  • Mitigation services to be provided without including the nature of the breach or unauthorized acquisition or use, or the number of Massachusetts residents affected by said breach or unauthorized access or use

If an organization that experienced a breach is owned by another person or corporation, the notice must include the name of the parent or affiliated corporation.

The organization that experienced the breach also must provide a sample copy of the notice that it sent to any Massachusetts resident to the Massachusetts attorney general and the Massachusetts director.

Credit Monitoring Requirements

If an organization knows or has reason to know that said organization experienced an incident that requires notice and such breach includes a Social Security number, the organization must contract with a third party to offer to each Massachusetts resident whose Social Security number was disclosed in the breach or is reasonably believed to have been disclosed in the breach credit monitoring services at no cost to said Massachusetts resident for a period of no less than 18 months (42 months in the case of a consumer reporting agency). These contracts must not include reciprocal agreements for services in lieu of payment or fees.

The organization must provide all information necessary for the Massachusetts resident to enroll in credit monitoring services and include information on how the Massachusetts resident may place a security freeze on the Massachusetts resident's consumer credit report.

Finally, an organization that experienced a breach must not require a Massachusetts resident to waive their right to a private right of action as a condition of the offer of credit monitoring services.


Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More



User ID: Subscriber Status:Free