A new Massachusetts law toughens reporting requirements for companies and organizations hit by data security breaches and mandates requires free credit monitoring to affected consumers. “Signing this bill into law will better protect Massachusetts consumers from the consequences of data breaches and give individuals more control over their data and how it is used,” Gov. Charlie Baker (R) said in a Feb. 26 statement. The law, H.4086, requires companies and other entities to report to the state attorney general and consumer reporting agencies the nature of the data breach and the number of Massachusetts residents affected.
They also must report the type of personal information compromised; the person responsible for the breach of security, if known; and any steps the person or agency has taken or plans to take, including updating its security program.
The law requires consumer consent before a third party can obtain a consumer’s credit report from a credit reporting agency and that credit reporting agencies allow consumers to place a “security freeze” on their credit report at no cost. It prohibits agencies from charging consumers to lift or remove a credit freeze.
The state’s prior law didn’t require companies to provide as much detail about data breaches, or how the company or entity responded.
“This new law is good news for Massachusetts residents as it provides consumers with new tools to protect themselves from identity theft after a security breach like the recently announced ones at Equifax and Marriott,” Deirdre Cummings, legislative director for MASSPIRG, a state consumer group, said in a statement.
• Outline the changes in the law.
• Provide real life examples of how these changes will impact AIM members.
• Discuss potential future changes in Massachusetts law and steps AIM members should take to be prepared.
Colin J. Zick is a Partner in Foley Hoag LLP’s Boston Office, and co-founded and chairs its Privacy & Data Security Practice. He counsels clients ranging from the Fortune 1000 to start-ups on issues involving information privacy and security, including compliance with state, federal and international data privacy and security laws and government enforcement actions. He also frequently counsel’s technology and consumer-facing clients on issues involving information privacy and security (including the GDPR and Privacy Shield, HIPAA and other U.S. federal and state data privacy and security laws, privacy policies, cloud security, cyber insurance, the Internet of Things, and data breach response). Colin co-founded the firm's Privacy and Data Security Practice Group and regularly contributes to its "Security, Privacy and the Law" blog, www.securityprivacyandthelaw.com. Colin has been ranked as one of the Best Lawyers in America® since 2015, ranked by CHAMBERS USA as one of Massachusetts' leading health care lawyers since 2010, and he has been selected by his peers as a Massachusetts “Super Lawyer” since 2004. Colin also serves as a member of Law360’s Privacy & Consumer Protection editorial advisory.
Chris Hart is a Certified Information Privacy Professional (CIPP/US, CIPP/E, CIPM) and a member of the firm's Data Privacy and Security Group. He has considerable experience in data privacy and cybersecurity issues, and advises companies on regulatory compliance, data breach planning and response, the EU’s General Data Protection Regulation (GDPR), and risk management (including cyberinsurance). Chris is a co-editor of and frequent contributor to Foley Hoag’s Security, Privacy and the Law blog, and a member of the firm’s Cybersecurity Incident Response Team. He also advises on data privacy and regulatory issues concerning blockchain technology and cryptocurrency. Chris’ in-depth cybersecurity knowledge has made him a frequently sought-after commentator in the local and national press; his comments have appeared in such publications as the Wall Street Journal, Washington Post, and Massachusetts Lawyers Weekly.