New Data Breach Notification Law in Massachusetts Enacted

A new data breach notification law in Massachusetts was enacted on January 10, 2019. The new law was signed by Massachusetts governor Charlie Baker and will become effective on April 11, 2019.

The new legislation is an update of the current Massachusetts data breach notification law and features new notification requirements.

The Massachusetts law defines a breach as the acquisition or use of sensitive personal information without proper authorization which brings a considerable risk of identity theft or fraud. Notifications should be issued if an unauthorized person acquires one or more of the following data elements together with a person’s first name and last name or first initial and last name.

  • Driver’s license number
  • Social Security number
  • State issued ID card number
  • Financial account number, or credit/ debit card number, with or without security code, access code, PIN number or password,if it would allow access to a state resident’s financial account.

As with the past law, there’s no fixed timescale for breach notifications. Notifications are required after it has been established that there has been a breach of personal information and should be sent as soon as is possible and without unreasonable delay.

One change to breach notification requirements is they need to be issued even if the total number of people impacted by a breach has not been confirmed. Individuals and organizations that have experienced a data breach should not wait for complete breach information before they issue notifications. The new law states that in such a case, when additional information comes to light, an individual or company should issue an additional notice, update or correction as soon as is practicable and without unreasonable delay.

One significant revision to Massachusetts data breach notification law is the requirement to offer breach victims free credit monitoring services. The shortest period of coverage for free credit monitoring services is 18 months or, in the case of a breach at a consumer reporting agency, 42 months.

Notifications must be sent to all persons impacted by the data breach, the Massachusetts Attorney General’s Office and the Office of Consumer Affairs and Business Regulation.

The Office of Consumer Affairs and Business Regulation and the Attorney General’s Office should be given a complete information about the nature of the breach and how it occurred, the number of impacted Massachusetts residents, the steps taken following the security breach, steps that will be taken in the future in response to the breach, and if law enforcement is looking into the breach. In cases where the breach occurred at a parent organization or affiliated business, the name of the breached company must be mentioned in the notification.