On January 10, 2019, Massachusetts Governor Charlie Baker signed House Bill No. 4806 into law. The bill amends certain provisions of the state data breach notification law, increasing reporting requirements on a person or agency collecting personal information of Massachusetts residents. In relevant part, H.B. 4806 expands notification requirements, requires companies to contract with a third party to offer affected residents free credit monitoring services, and prohibits security freeze fees. The amendments went into effect on April 11, 2019.
Updated Notification Requirements
H.B. 4806 enhances preexisting Massachusetts notification law regarding the required content of notice to consumers and state regulators. Under preexisting Massachusetts law, breached entities must include the following in the notice to state regulators: (i) the nature of the breach of security; (ii) the number of residents affected; and (iii) any steps the person or agency intends to take regarding the breach of security. In addition to these requirements, under the updated notification requirements, notice to state regulators must include the following:
In addition to notice requirements to state regulators, the amendments expanded the requirements for notification to affected residents. The notice to be provided to affected residents must include: (i) the resident’s right to obtain a police report; (ii) how a resident may request a security freeze and the necessary information to be provided when requesting a security freeze; (iii) that there shall be no charge for a security freeze; and (iv) mitigation services to be provided pursuant to Massachusetts’ data breach notification laws (i.e., free credit monitoring services).
H.B. 4806 also slightly modified timing requirements. Existing timing obligations, which required companies to provide notification as soon “as practicable and without unreasonable delay,” remained unchanged; however, companies are now prohibited from delaying notice on the ground that the total number of affected residents has not yet been ascertained.
Additional Notification Requirements
The amendments provide new guidance regarding notification to the general public. If such notice does not impede a pending investigation by the attorney general or other law enforcement agency, the Officer of Consumer Affairs and Business Regulation (the “OCABR”) must publish “electronic copies of the sample notice sent to consumers on its website within one business day upon receipt from the person that experienced a breach of security,” update the published report as soon as practically possible after the information has been verified, and amend this information on a recurring basis. The OCABR must also provide consumers with instructions on how they may file a public records request to obtain a copy of the notice sent to the agency from the breached entity.
Free Credit Monitoring Services
Massachusetts is now the fourth state (following California, Connecticut, and Delaware) that requires companies to contract with a third party to offer free credit monitoring services to residents involved in a security breach compromising Social Security numbers. If a resident’s Social Security number is compromised, the company must now contract with a third party to offer affected residents free credit monitoring services for a period of not less than 18 months; provided, however, that if a consumer reporting agency experiences a breach of security disclosing Social Security numbers, affected residents will be entitled to free credit monitoring services for a period of not less than 42 months. In addition, the amendments require the person or agency to provide affected residents all information necessary to enroll in credit monitoring services, which must include how an affected resident can place a security freeze on his or her consumer credit report. Furthermore, affected residents cannot be required to waive their right of action as a condition to receiving credit monitoring services.
Many states permit credit reporting agencies to charge its residents fees to “freeze” and “thaw” their credit files, which range by state from $5 to $10 per agency. The amendments prohibit such fees in Massachusetts and allow residents affected by a breach to place, lift, or remove security freezes without charge.
The post Updates to Massachusetts Data Breach Laws: House Bill No. 4806 appeared first on Insurance & Reinsurance.
Visit our Insurance & Reinsurance Blog for the latest news and developments.Visit the blog
Sign up for our newsletter and get the latest to your inbox.