Massachusetts Governor Charlie Baker signed a new law on January 10 that amends the state’s data breach law removing the fees imposed by credit reporting agencies for security disclosures and freezes of consumer credit reports.
The new law, aptly named “An Act relative to consumer protection from security breaches,” also comes with a number of changes to the way companies will have to deal with security breaches involving the personal information of their customers.
The detailed steps businesses must take according to the Massachusets law are detailed on the Commonwealth of Massachusetts’ government website on the “Requirements for Data Breach Notifications” web page.
One of the most important amendments for individuals affected by data breaches is that companies will be required by law to “contract with a third party to offer to each resident whose social security number was disclosed in the breach of security or is reasonably believed to have been disclosed in the breach of security, credit monitoring services at no cost to said resident for a period of not less than 18 months.”
Moreover, if the company involved in the data breach is a consumer reporting agency, the free credit monitoring services will be extended to “a period of not less than 42 months.”
Amendments to become effective on April 11
The new amendments to the Massachusets law also forbid companies that have experienced security attacks that have led to data breaches from waiving the individuals affected by that incident to waive their right to a “private right of action as a condition of the offer of credit monitoring services.”
Companies that report data breaches will also have to inform the consumers affected by the security incident of the “name of the parent or affiliated corporation” if they are owned by another entity.
To make sure that data breach notifications will not be delayed indefinitely, the Massachusets lawmakers have also included the following in the bill:
A notice provided pursuant to this section shall not be delayed on grounds that the total number of residents affected is not yet ascertained. In such case, and where otherwise necessary to update or correct the information required, a person or agency shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information.
All amendments will take effect starting with April 11, 2019, after which all companies that file data breach notifications to the Massachusetts Attorney General and the Office of Consumer Affairs and Business Regulation will be required to register them using the new regulations.