Massachusetts Amends Data Breach Law

June 2019

In the wake of recent high profile data breaches, Massachusetts recently enacted significant changes to its data breach protection law, M.G.L. c. 93H.  Effective April 11, 2019, these changes, highlighted below, bring the law to the forefront of the most protective consumer protection statutes in the nation and position Massachusetts as a leader in the area of data security and protection. 

While the standard for notification of a data incident remains the same, the amendments to the law have largely focused on the mitigation services entities must provide to victims of a data breach.  Key provisions of the amendments include:  

  • Required Credit Monitoring:  Massachusetts now joins California, Connecticut and Delaware in requiring free credit monitoring for individuals affected by a data breach.  Under the revised Massachusetts law, if Social Security numbers were disclosed or reasonably believed to have been disclosed in a breach, the entity must provide credit monitoring services to the affected residents at no cost for no less than 18 months (or, if the breach occurred at a consumer reporting agency, for a minimum of 42 months). The letter must also provide information on how to enroll in the credit monitoring services and how to place a security freeze on a consumer report.  Entities are also prohibited from asking individuals to waive their right to a private action as a condition for receiving credit monitoring services. 
  • Notices to Regulators:  The required notice to the Massachusetts Attorney General and the Office of Consumer Affairs and Business Regulation (OCABR) will now need to include additional information, including the types of personal information compromised, the person responsible for the breach (if known) and whether the entity maintains a written information security program (WISP).  MIT’s WISP can be found at https://infoprotect.mit.edu/wisp.
  • Timing of Affected Individual Notification: The law explicitly prohibits a company from delaying notice to affected individuals on the basis that it has not yet determined the number of individuals affected. Rather, the entity must send out additional notices on a rolling basis, as necessary. The law also requires repeat notifications if after the initial notice, the entity discovers information that updates or corrects previously provided information.
  • Public Notification of Disclosures:  The revised law will now also require the OCABR, which already publishes and periodically updates a spreadsheet of notifications it receives, to “make available electronic copies of the sample notice sent to consumers on its website and post such notice within 1 business day upon receipt.”  In addition, the OCABR must also instruct consumers on how they may file a public records request to obtain a copy of the notice provided to the Attorney General and the OCABR from the entity that experienced a breach of security. 

In the event of a data incident affecting MIT, you can assist MIT in fulfilling its obligations under this law by reporting the incident.   For more information, please contact Jason Baletsa, 617.253.4466 or jbaletsa@mit.edu.