By: Brendan Dalton

Governor Charlie Baker signed House Bill 4806 on January 10, 2019, that amends the Massachusetts Data Breach Notification Act.  This bill will go into effect on April 11, 2019.  The amendment aims to provide clear guidelines for what entities must do, with respect to disclosing information to Massachusetts’ regulators and consumers, after experiencing a data breach.

What Must be Reported

The existing Massachusetts law states that “[e]very person that owns or licenses personal information about a resident of the Commonwealth [to] develop, implement, and maintain a comprehensive information security program.”  Under the new Amendment entities that have experienced a data breach must provide additional information to the Massachusetts Office of the Attorney General and the Office of Consumer Affairs and Business Regulation that was originally required before the amendment was enacted.  This includes the type of information that was compromised in the breach, the person(s) responsible for the breach (if know), and “whether the person or agency maintains a written information security program.”

Often times consumers are left in the dark after data breaches.  These additional requirements should allow the Massachusetts regulatory bodies stated above to formulate a more comprehensive plan for how to deal with the fallout from these breaches.  Additionally, consumers will now know if their personal information was compromised and they will be able to take a more proactive role in ensuring that their personal information is protected.  For example, consumers can contact the fraud department of companies where they believe that their Social Security number was fraudulently used.

Consumer Protections

Additionally, the entity that experiences the data breach must now identify to consumers any parent or affiliated corporation.  Also, the entity may no longer use the fact that they are unsure about how many people are affected by the data breach as an excuse to delay notifying affected customers.  This is an exceptional addition to the existing law as entities in the past that have experienced data breaches have waited far too long to notify consumers of the serious risk that data breaches pose to their personal information.  This delay in notifying consumers can lead to additional personal information as well as money and property being stolen.  With this amendment, consumers will now be aware of the data breach at a much earlier time and, as stated before, will be able to take the necessary precautions to keep their personal information safe.

Entities Monitoring Credit

Furthermore, entities now must provide credit freezes and free credit monitoring services for at least 18 months if consumers Social Security Numbers are disclosed or reasonably believed to have been disclosed during the data breach.  This additional protection will provide better oversight of consumer’s social security numbers following the breach.  Out of all the personal information a person as belonging to them, one’s social security number is viewed as the most sensitive.  With one’s social security number an identity thief could access a variety of personal information, ranging from one’s bank account to their medical history. The credit freezes and free credit monitoring means that additional protections will be given to consumers to ensure that their social security numbers are better protected following the data breach.

What This All Means for Massachusetts’ Consumers

The new amendments to the Massachusetts Data Breach Notification Act should be viewed as a victory for consumers across Massachusetts.  This bill was enacted about two and a half years after the Equifax data breach.  Equifax is one of the three largest major credit reporting agencies in the United States, and from May to July of 2017 the sensitive personal information of over one hundred and forty-three million Americans was exposed.  The personal information included social security numbers, peoples’ names, driver’s license numbers, and addresses.

Having any of this information stolen by an identity thief is extremely troublesome.  With information like a person’s social security number or driver’s license number, an identity thief can steal money and property from the victim.  Driver’s license numbers are also related to insurance policies, place of employment, and doctor’s offices.   Data breaches pose significant risks to the personal information of Massachusetts’ residents and enacting more regulations that will hold the entities that have experienced the breaches more accountable is a good thing for consumers across the Commonwealth.

Student Bio: Brendan Dalton is a second-year student at Suffolk University Law School. He is currently a staff member of the Journal of High Technology Law. He holds a Bachelor of Arts in Political Science from the University of Massachusetts Amherst with a minor in Economics.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.