BreachExchange mailing list archives
Massachusetts Amends Data Breach Notification Statute
From: Destry Winant <destry () riskbasedsecurity com>
Date: Tue, 5 Feb 2019 11:59:00 -0600
https://www.jdsupra.com/legalnews/massachusetts-amends-data-breach-33248/ The Governor of Massachusetts recently signed new legislation amending the state’s already-existing data breach notification statute that, among other changes, now requires 18 months of free credit monitoring services to residents affected by a data breach and makes changes to required information on data breach notifications sent to affected consumers, the Massachusetts AG, and the Director of the Office of Consumer Affairs and Business Regulation. Massachusetts already had a data breach notification statute that required an entity suffering a data breach to notify the AG and the Director of the 1) nature of the breach; 2) the number of residents of Massachusetts affected; and 3) any steps taken related to the incident. The Notification must now also include: - The name and address of the person or agency that experienced the breach of security; - Name and title of the person or agency reporting the breach of security, and their relationship to the person or agency that experienced the breach; - The type of person or agency reporting the breach; - The person responsible for the breach, if known; - The type of personal information compromised, including but not limited to Social Security number, driver’s license number, financial account number, credit or debit card number, or other data; - Whether the person or agency maintains a written information security program; and - Whether the person or agency is updating the written information security program as part of any steps the person or agency has taken or plans to take relating to the incident. The affected party must also file a report with the AG and Director to certify that their credit monitoring services are compliant with the statutory requirements. The consumer-specific notification must contain the following information: 1) an individual’s right to a police report; 2) how an individual can request a security freeze on their credit report; 3) that there will be no charge for such security freeze; and 4) information regarding mitigation services to be provided pursuant to the data breach notification law. Such notification must be sent out as soon as practicable and without unreasonable delay, once an entity knows or has reason to know of a data breach. Additionally, the new legislation requires the party suffering a data breach to provide free credit monitoring services to any resident for 18 months if the security breach included their social security number. The requirement is extended to 42 months if the entity that suffered the breach is a consumer reporting agency. This offer of free credit monitoring services cannot be waived by the affected consumer. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Massachusetts Amends Data Breach Notification Statute Destry Winant (Feb 06)