By: Michael Jervis
Effective April 11, 2019, new amendments to Massachusetts’s Data Breach Notification Act go into effect. The amendments impose additional requirements on covered companies that sustain a data breach involving personal data of Massachusetts residents. The new requirements are:
- Content of Notice. Additional information must be provided to the Massachusetts Attorney General and state Office of Consumer Affairs when providing notice of a breach, including the type of information compromised, the person(s) responsible for the breach (if known), and whether the company maintains a written information security program. (Note that Massachusetts regulations 201 CMR § 17.03 require any entity that owns or licenses personal information of a Massachusetts resident to develop, implement, and maintain a comprehensive written information security program.)
- Notice to Consumers. A company providing notice to consumers of a data breach now must identify any parent or affiliated corporation. In addition, companies are expressly prohibited from delaying notice to affected consumers on the basis that it has not determined the number of people affected. Now, companies must provide notice without delay, and send additional notices on a rolling basis, if needed.
- Credit Monitoring. Companies must offer credit monitoring services at no cost for at least 18 months if Social Security Numbers are disclosed or reasonably believed to have been disclosed in a data breach. If the company is a consumer reporting agency, credit monitoring services must be provided for 42 months.
- No Non-Waivers. If a company offers credit monitoring services to individuals, it cannot request those individuals to waive the right to bring a private action in exchange for those services.