On January 10, 2019, Massachusetts Governor Charlie Baker signed House Bill No. 4806 into law. The bill amends certain provisions of the state data breach notification law, increasing reporting requirements on a person or agency collecting personal information of Massachusetts residents. In relevant part, H.B. 4806 expands notification requirements, requires companies to contract with a third party to offer affected residents free credit monitoring services, and prohibits security freeze fees. The amendments went into effect on April 11, 2019.
Updated Notification Requirements
H.B. 4806 enhances preexisting Massachusetts notification law regarding the required content of notice to consumers and state regulators. Under preexisting Massachusetts law, breached entities must include the following in the notice to state regulators: (i) the nature of the breach of security; (ii) the number of residents affected; and (iii) any steps the person or agency intends to take regarding the breach of security. In addition to these requirements, under the updated notification requirements, notice to state regulators must include the following:
- Name and title of the person or agency that experienced the breach of security;
- The type of person or agency reporting the breach of security;
- The person responsible for the breach of security, if known;
- The type of personal information compromised, including, but not limited to, social security number, driver’s license number, financial account number, credit or debit card number or other data;
- Whether the person or agency maintains a written information security program; and
- Any steps the person or agency has taken or plans to take relating to the incident, including updating the written information security program.
In addition to notice requirements to state regulators, the amendments expanded the requirements for notification to affected residents. The notice to be provided to affected residents must include: (i) the resident’s right to obtain a police report; (ii) how a resident may request a security freeze and the necessary information to be provided when requesting a security freeze; (iii) that there shall be no charge for a security freeze; and (iv) mitigation services to be provided pursuant to Massachusetts’ data breach notification laws (i.e., free credit monitoring services).
H.B. 4806 also slightly modified timing requirements. Existing timing obligations, which required companies to provide notification as soon “as practicable and without unreasonable delay,” remained unchanged; however, companies are now prohibited from delaying notice on the ground that the total number of affected residents has not yet been ascertained.
Additional Notification Requirements
The amendments provide new guidance regarding notification to the general public. If such notice does not impede a pending investigation by the attorney general or other law enforcement agency, the Officer of Consumer Affairs and Business Regulation (the “OCABR”) must publish “electronic copies of the sample notice sent to consumers on its website within one business day upon receipt from the person that experienced a breach of security,” update the published report as soon as practically possible after the information has been verified, and amend this information on a recurring basis. The OCABR must also provide consumers with instructions on how they may file a public records request to obtain a copy of the notice sent to the agency from the breached entity.
Free Credit Monitoring Services
Massachusetts is now the fourth state (following California, Connecticut, and Delaware) that requires companies to contract with a third party to offer free credit monitoring services to residents involved in a security breach compromising Social Security numbers. If a resident’s Social Security number is compromised, the company must now contract with a third party to offer affected residents free credit monitoring services for a period of not less than 18 months; provided, however, that if a consumer reporting agency experiences a breach of security disclosing Social Security numbers, affected residents will be entitled to free credit monitoring services for a period of not less than 42 months. In addition, the amendments require the person or agency to provide affected residents all information necessary to enroll in credit monitoring services, which must include how an affected resident can place a security freeze on his or her consumer credit report. Furthermore, affected residents cannot be required to waive their right of action as a condition to receiving credit monitoring services.
Many states permit credit reporting agencies to charge its residents fees to “freeze” and “thaw” their credit files, which range by state from $5 to $10 per agency. The amendments prohibit such fees in Massachusetts and allow residents affected by a breach to place, lift, or remove security freezes without charge.