US State Breach Law Modifications Begin in 2019 with Massachusetts
Massachusetts’ breach notice law has been amended, requiring companies who suffer a data breach to provide more information to the Attorney General about the incident. The law will go into effect in a month, on April 11, 2019. As most know, already under MA’s breach notice law, companies that suffer a breach that impacted Massachusetts individuals are obligated to tell the MA AG. As part of that notice, they needed to explain the nature of the breach, number of residents impacted, and mitigation steps taken. Now, the MA AG will also need to be told if the company has a written information security program, as well as greater detail about the breach itself. These details include the person responsible for the breach of security, if known, as well as the name and title of the person reporting the breach and relationship to the entity that was breached. A sample copy of the notice sent to consumers also needs to be provided to the MA AG. That sample notice will be posted on the MA AG website within one day of receipt, provided that doing so does not “impede an active investigation” by either the MA AG or other law enforcement agency. The law also provides additional requirements on the AG to post information to its website about breaches.
The amendment will also impact the provision of credit monitoring services, which will be required for breaches impacting certain types of sensitive information. This mirrors requirements in other jurisdictions including California and Connecticut. Monitoring has to be provided for free, for 18 months (42 months if the entity is a credit reporting agency), and individuals cannot be required to waive their right to a private right of action in order to receive the credit monitoring. When filing the notice of breach with the MA AG, companies must certify that they are in compliance with these credit monitoring provisions.
Also added to the notice requirements are changes to the notice to consumers. Namely, that companies cannot delay notice because they do not yet know how many Massachusetts residents have been impacted. Instead, notice should be provided on a rolling basis as the company discovers (if the company discovers) that additional people were impacted. Additionally, the company that suffered a breach is owned by a parent company, the notice to the individual needs to include the name of that parent.
Putting it Into Practice: Massachusetts will likely not be the only state to amend its breach notice requirements in 2019. Of note are the credit monitoring provisions as well as the additional detail that needs to be provided to the MA AG. As a reminder, there is no threshold number of impacted MA residents that triggers the AG notice requirement.