All 50 states in the U.S., the District of Columbia, Puerto Rico and the U.S. Virgin Islands, have enacted data breach legislation requiring both public and private sector entities to notify individuals whose personally identifiable information (PII) may have been compromised in a security breach.
As the cyber security landscape grows more threatening, state legislatures are tasked with updating and tightening existing data breach rules, ranging from what constitutes PII and breach definitions to compliance rules and other specifics. Now Massachusetts, whose data breach legislation history dates to 2007, has amended its breach notification law, adding new measures that will take effect on April 11, 2019. Governor Charlie Baker has signed the legislation. The new amendments cover information required in breach notifications, timing of notifications and credit monitoring services offered to the state’s resident affected by a breach.
Of note among the law's changes, there’s no mention of specific time frames for companies to report a breach to authorities. The assumption is they’ll respond quickly to provide authorities and regulators with the necessary information. Withholding notification, even if an entity doesn’t know how many residents have been affected, is no excuse under the augmented legislation. Entities can adjust the information accordingly but it must be done “without unreasonable delay.”
Here are some of the law’s other measures (via Alston & Bird privacy and data security blog):
- On security freezes: Consumer reporting services can’t charge consumers to place a freeze on their credit report or to temporarily lift or remove it altogether. The state must confirm in writing that consumers won’t be charged on credit report freezes.
- On credit monitoring: if social security numbers were involved in a breach, the entity must provide free credit monitoring services to the affected residents for at least 18 months. Residents must be informed on how to enroll in the services and how to place a security freeze on their consumer report.
- On notifying regulators: Notices to both the Massachusetts Attorney General and the Massachusetts Office of Consumer Affairs and Business Regulation must include whether the entity has a written information security program, who’s responsible for the breach and the entity’s plan to remedy the breach. In addition, entities must submit sample notification letters for residents.
Here's a guide to the breach laws of all 50 states, including Washington, D.C., Guam, Puerto Rico and the Virgin Islands. Many will be updating their data breach regulations at some point. MSSP Alert will keep you posted on the changes as they occur.