New changes to the Massachusetts data breach notification statute emphasize timely and public disclosure of data security incidents, including requiring companies to disclose compliance with Massachusetts’ data security law. Among other more technical changes, H. 4806, effective April 11, increases the information that breached companies must provide to Massachusetts state agencies and provides for ways that information will be made public. Under the changes, when a breach is reported to the attorney general and the director of the Office of Consumer Affairs and Business Regulation (OCABR):

  • Companies are required to disclose whether or not they have the written information security plan required by MA law;
  • The OCABR is required to make consumer notices provided to it public within one day, and update the breach notification report on its website within 10 days; and
  • The OCABR is required to inform consumers of their ability to file a public records request to obtain a copy of the notice provided to the AG and OCABR.

Massachusetts requires incidents where just one MA resident is affected to be reported to the AG and OCABR, and thus even a small incident can result in an affirmative disclosure to the state regarding a company’s compliance with the law.  Companies that have not previously complied with the security requirements in Massachusetts 93A thus may wish to do so.

The other significant change to breach response included in the law is a new requirement to provide credit monitoring, free of charge, for 18 months when social security numbers are breached (3.5 years for credit reporting agencies).  There are also some additional reporting requirements that mirror the forms the agencies currently use. Unlike most states revising notification statutes in recent years, Massachusetts made no changes to the types of personal information that trigger breach notification, the deadlines for notice, or the content of the individual notice. Existing law requires unique notifications tailored to Massachusetts law, and this requirement continues.