Recent amendments to Massachusetts’ data breach notification statute will be effective on April 11, 2019, and business organizations, public agencies, and other legal entities should take note.
Three changes to the law are particularly noteworthy.
First, a breached organization must now provide Massachusetts residents whose Social Security numbers were impacted with complimentary credit monitoring services for 18 months. In enacting this requirement, Massachusetts joins a small but growing number of states (for example, Connecticut and Delaware) that require the provision of complimentary credit monitoring services as part of post-breach remediation efforts when residents’ Social Security numbers are impacted.
Second, Massachusetts law now requires breached organizations to make more robust disclosures to Massachusetts regulators and impacted residents. For example, under the new requirements, a breached organization must inform Massachusetts regulators whether it maintains a Written Information Security Program (WISP) and whether that WISP will be updated following the breach. Additionally, a breached organization must now notify impacted Massachusetts residents of the name of an organization’s parent or affiliated corporation if the organization is owned by another person or corporation. These new content requirements supplement the already stringent notification content guidelines Massachusetts has in place.
And third, while organizations are still required to notify regulators and impacted Massachusetts residents of data breaches “without unreasonable delay”, the law now expressly prohibits delaying notification due to the uncertainty of the number of Massachusetts residents impacted. Instead, organizations must promptly notify regulators and known impacted Massachusetts residents of data breaches and thereafter, supplement those notices should they learn that additional Massachusetts residents were impacted.
Violations of these and other Massachusetts data breach notification provisions can expose organizations to regulatory enforcement actions and civil penalties.
As is always the case with privacy and breach laws, we expect other states to follow Massachusetts’ lead.
McDonald Hopkins’ national Data Privacy and Cybersecurity Practice Group will continue to monitor changes in privacy and breach laws and provide key updates.