Significant changes to the Massachusetts data breach notification law take effect on April 11, 2019. You can view the amendment here. If you haven’t looked at your written information security plan, or WISP, in a while, now’s the time to dust it off. If you still haven’t gotten around to implementing one as required by 201 CMR 17 back in 2010, now’s the time to get going. The revisions to Chapter 93H requires more detailed notifications to both the Massachusetts AG and the Office of Consumer Affairs and Business Regulation (OCABR) and to the affected individuals. It also requires that entities experiencing a security breach provide credit monitoring to individuals if a breach includes the loss of a Social Security number.
Notice to Affected Individuals
Chapter 93H requires that notice of a security breach be provided “as soon as practicable and without unreasonable delay.” With the “Act Relative to Consumer Protection from Security Breaches”, reporting of a Massachusetts breach to individuals may require providing individuals with multiple (repeat) notifications if after the initial notice, the entity discovers information that updates or corrects the information originally provided. Also, the statute specifically states that “[a] notice provided pursuant to this section shall not be delayed on grounds that the total number of residents affected is not yet ascertained.” (emphasis added) The statute also sets out additional content categories that notices to Massachusetts residents will be required to contain. We recommend reviewing your template for breach response, as the includes a new list of required elements for the individual notice. Much of the information added to the statute has been included in individual notices as a matter of course, but given that it is now statutory, templates should be reviewed and revised accordingly.
Notices to the AG and OCABR
The revisions require some unique reporting requirements, not the least of which is that a breached entity is required to identify the person who caused the breach, if known. You’ll also be required to disclose to the regulators whether you have a WISP, and whether you’ve amended your WISP as a result of the incident. Given that entities that use, store, own or license personal information of residents of the Commonwealth have been required to implement and maintain a WISP since 2010, this gives Massachusetts regulators a tool to monitor compliance, and perhaps to pursue enforcement actions for failure to comply which may have resulted in (or contributed to) a security breach. Also, if the breached entity is a subsidiary, the new statute requires that notice to the regulators (and to individuals) also name the parent of the breached entity.
Credit Monitoring
Massachusetts joins California, Connecticut, and Delaware in requiring that a breached entity offer third-party credit monitoring services to impacted individuals if Social Security numbers are compromised. The difference here is that Massachusetts now requires 18 months of credit monitoring services be provided, as opposed to statutes in Connecticut and Delaware which require 12 months (although state regulators have been expecting that 2 years of credit monitoring be provided). California law requires credit monitoring for “not less than 12 months.” We recommend that companies check with their cyberliability carrier to ensure that they have at least 18 months (or as otherwise required by law or regulatory authority) of credit monitoring services in the event of a breach.