Massachusetts Adds New Requirements to Breach Notification Law

Massachusetts Governor Charlie Baker recently signed a new law that amends the state’s data breach notification law.

“The improvements made to Massachusetts laws in this legislation are necessary to protect consumers from the consequences of data breaches that could expose personal information and to give consumers more control over their data and how it is used,” Governor Baker tweeted.

Key New Provisions include:

  • Companies must provide 18 months of credit monitoring following a breach involving Social Security numbers. This makes Massachusetts the fourth state to require credit monitoring if Social Security numbers are involved in a breach;
  • Companies notifying those affected by the data breaches must disclose the “name of the parent or affiliated corporation” if they are owned by another entity;
  • Notice of the breach to the Massachusetts Attorney General and the Office of Consumer Affairs and Business Regulation will need to include the types of personal information compromised, the person responsible for the breach (if known) and whether the entity maintains a written information security program;
  • Companies are prohibited from asking individuals to waive their right to a private action as a condition for receiving credit monitoring services; and
  • Breach notification cannot be delayed because the total number of affected residents has not been ascertained.

Amendments are effective April 11, 2019.

For more information about the steps businesses must take based on the new Massachusetts law are detailed on the “Requirements for Data Breach Notifications” web page.

Print Friendly, PDF & Email