Massachusetts has updated its breach notification law to require credit monitoring services and more prescriptive breach notices to regulators, as well as to strengthen rules for consumer reporting agencies. Governor Charlie Baker signed the legislation (H. 4806) on January 10, 2019, and the amendments go into effect on April 11, 2019.
The amendments will require:
- Providing more detailed information in breach notifications to MA regulators, including whether the entity maintains a written information security program (WISP) and steps the entity has taken relating to the breach, such as updating the WISP. This requirement signals an attempt to more actively enforce the MA data security regulations (201 C.M.R. 17), which require, among other things, that entities that own or license personal information about MA residents “develop, implement, and maintain a comprehensive information security program that is written.” Such companies should consider whether their WISP complies with 201 CMR 17, which is often considered to be the most stringent US state data security law
In addition to the above, the law would be the first in the nation to require companies to inform regulators of the person responsible for the breach, if known. The disclosure must also include (i) the nature of the breach; (ii) the number of MA residents of the affected; (iii) the name and address of the entity that experienced the breach; (iv) name and title of the person reporting the breach, and their relationship to the entity that suffered the breach; (v) the type of entity reporting the breach; (vi) the type(s) of personal information compromised; and (vii) a report certifying that any credit monitoring services are in compliance with the requirement noted below.
- Offering MA residents 18 months of complimentary credit monitoring services in the event of a breach involving a Social Security number (or 42 months if the notifying entity is a consumer reporting agency) and certifying that their credit monitoring services comply with this requirement. In practice, because companies that provide credit monitoring services generally do not offer 18-month plans, this will effectively require notifying entities to procure at least 2 years of credit monitoring. In requiring credit monitoring services, Massachusetts joins Connecticut (which requires 24 months of such services) and Delaware (which requires 12 months of such services).
The law would also create a number of new requirements relating to consumer reports, including:
- Limitations on when users can obtain, use, or seek a consumer report.
requirement that, upon request and identification of the consumer, consumer
reporting agencies inform consumers about information relating to their reports,
- the nature, contents and substance of all information (except medical information) in their files;
- the sources of all credit information obtained through routine credit reporting or any other credit reporting techniques; and
- the recipients of any consumer report that they have furnished for employment purposes within the 2 years preceding the request, and for any other purpose within the 6 months preceding the request.
- A requirement that consumer reporting agencies inform consumers about their rights under the MA law. The law sets forth the information that must be provided to consumers and requires that such information be clear and conspicuous and in at least 10-point font. Consumer reporting agencies must already inform consumers of their rights under Federal law.
- A prohibition on consumer reporting agencies from knowingly offering a paid product to prevent unauthorized access or restrict access to a consumer’s credit, unless the agency (i) notifies the consumer of the availability of obtaining a security freeze without charge and (ii) provides information to the consumer on how to obtain a security freeze.