On Thursday, April 11, 2019, Massachusetts' revisions to its data breach notification law came into effect with significant changes to how a company handling residents’ personal information must respond to a data breach. Companies operating outside of Massachusetts should take note – these changes apply to companies that handle personal information belonging to Massachusetts’ residents regardless of where the company itself is located.
A 2010 Massachusetts law required that "every person that owns or licenses personal information about a resident of the Commonwealth must develop, implement, and maintain a comprehensive information security program." The minimum standards for what should be in a Written Information Security Plan, or WISP, can be found https://www.mass.gov/files/documents/2017/10/02/201cmr17.pdf and https://www.mass.gov/files/documents/2017/11/21/compliance-checklist.pdf. The 2010 regulation now has some added teeth – the new amendment requires companies to confirm in their breach notice to the Attorney General "whether the person or agency maintains a written information security program" and identify any steps taken or plans to take relating to the incident, "including updating the written information security plan."
The bottom line is that companies across the country should make sure that they have a WISP in place that complies with Massachusetts law.
New additions to the notice to the Attorney General and the Office of Consumer Affairs and Business Regulation ("OCABR") require that entities must now certify to the Attorney General that the credit monitoring services comply with the statute, provide the name of the person responsible for the breach of security, if known, and the OCABR will post the sample notice on its website within one business day.
The new amendment also significantly changes what companies must do concerning individual notification.
Where Social Security numbers are at risk, Massachusetts now requires companies to offer 18 months of credit monitoring services at no cost, making it the third state to require mandatory credit monitoring services (Connecticut requires 24 months and Delaware requires 1 year) where residents’ SSNs are exposed.
Businesses also can no longer delay notifying all impacted individuals while they investigate the total number of impacted individuals, effectively requiring rolling notifications. If additional information regarding the data breach is discovered that would be provided to the residents in the first place, additional notices are required to be sent out. Entities must also now identify any parent or affiliated corporation in the notice letter, likely in an effort to avoid letting well-known brands hide behind a notification issued by a lesser known subsidiary.
Bryan Cave Leighton Paisner LLP has a team of knowledgeable lawyers and other professionals prepared to help entities asses their obligations. If you or your organization would like more information on this or any other cybersecurity issue, please contact an attorney in the Data Privacy and Cyber Security team