On April 11, 2019, significant revisions to Massachusetts’ data breach law – Chapter 93H – take effect. The revised statute requires more detailed notifications to both the Commonwealth and affected consumers, and mandates that breached entities offer consumer credit monitoring to affected individuals after certain types of breaches, a practice that has become common but was not previously required.
Additional Notice Requirements: The revised statute maintains the core notification requirement for an entity that owns or licenses personal data that has suffered a data breach involving the personal information of a Massachusetts resident. As before, the entity must notify the Massachusetts Attorney General, the Director of Consumer Affairs and Business Regulation, and the affected individuals. The amendment to the statute adds more information that must be provided in these notices. Key examples include:
- Whether the entity maintains a written information security program (WISP)
- The name and address of the entity that experienced the breach of security
- The name and title of the entity reporting the breach of security and their relationship to the entity that experienced the breach of security
- The type of entity reporting the breach of security
- The name of the parent of the entity that experienced a breach, if any exists
- If known, the person responsible for the breach of security
- Mitigation services to be provided pursuant to the law
- The type of personal information compromised, such as Social Security number, driver’s license number, financial account number, credit or debit card number, or other data
- As with the earlier version of the statute, the notice must include any steps the entity has taken or plans to take in response to the incident. The revised statute now specifies that one of those “steps” ought to include updating the WISP.
Required Credit Monitoring Services: If the breach included the loss of Social Security numbers, the revised statute requires breached entities to offer credit monitoring services to affected individuals. The statute has several requirements for this service, the most important of which is that it must be for a period of at least 18 months for most entities and 42 months if the breached entity is a consumer reporting agency. A report certifying compliance with the credit monitoring services must also be filed with the Attorney General and the Director of Consumer Affairs and Business Regulation.