The update to the existing Massachusetts data breach notification statute (set to go into effect on April 11, 2019) introduces novel requirements for notices to both affected individuals and regulators and requires credit monitoring services to be offered in some instances for at least 18 months. The legislation updates the statute in a number of particulars, but we focus here on the most notable new requirements.
Notices to affected individuals. The updated statute may require an organization to provide affected individuals with multiple (that is, repeat) notifications if after the initial notice the organization discovers information that updates or corrects the information required to be in such notifications. Other breach notification laws, like the EU’s General Data Protection Regulation and Canada’s breach notification law, may impose an ongoing obligation on organizations to notify regulators with updated information about breaches, but the Massachusetts statute may apply that same obligation to individual notices. The statute also sets forth additional content categories that the notices must contain.
Notices to Massachusetts regulators. The new statute includes some new, unique reporting requirements, such as identifying the person who caused the breach, if known. In addition, although the Massachusetts regulations already require organizations in their scope to have a written information security program (WISP), the updated breach notification statute requires organizations to declare in their breach notices to Massachusetts regulators whether they have one. (The Massachusetts online breach notification form already has this “yes” or “no” question and a location to describe amendments to the WISP as a result of the incident.) In essence, this breach notice requirement operates as a monitoring device for organizations’ compliance with the WISP obligation. If an organization’s notification indicates that it did not have a WISP, Massachusetts regulators could deem the assertion as an admission that the organization is not compliant with the WISP obligation. If organizations required to comply with the Massachusetts data security regulations have not yet implemented a WISP, they should prioritize the development and implementation of one.
Offering credit monitoring. Massachusetts joins a handful of other states in requiring that an organization offer third-party credit monitoring services to individuals in Massachusetts affected by a data breach. If an organization knows or has reason to believe that social security numbers were compromised in a data breach, the statute requires the organization to engage a third party to provide credit monitoring services for 18 months for affected individuals (or 42 months, if the organization is a consumer reporting agency). This requirement differs from the Connecticut and Delaware breach notification statutes that require one year of credit monitoring. Organizations commonly offer one year of identity protection services following a data breach of social security numbers, but there has been a trend of state regulators expecting two years of credit monitoring. Massachusetts decided to go halfway.
The Massachusetts attorney general’s office has historically been at the forefront of enforcing the Commonwealth’s privacy and data security laws. Organizations that process personal information of Massachusetts residents should continue to pay particular attention to the regulatory requirements and enforcement activity in the Commonwealth. In light of the changes to the Massachusetts breach notification statute, organizations should review and update (or create) their breach response readiness kit and notice templates. Organizations would also benefit from revisiting their WISP, not only to meet the specific legal obligations, but also to improve the organization’s data security posture and, hopefully, prevent data breaches altogether.