Massachusetts Strengthens Its Data Breach Law By Adding Amendments

By January 21, 2019Cyber Security, Data Breach

Massachusetts Governor Charlie Baker signed a new law on January 10, 2019  that significantly amends and strengthens Massachusetts’ data breach notification law when it becomes effective on April 11, 2019.

A new requirement requires an offer of complimentary credit monitoring for a period of not less than 18 months when the data security breach involves a Massachusetts resident’s Social Security number. The new law requires that a person who experienced a breach of security that involves a resident’s Social Security number to “file a report with the attorney general and the director of consumer affairs and business regulation certifying their credit monitoring services comply with” the new requirement to offer complimentary credit monitoring services for a period of not less than 18 months. If the breach happened at a credit monitoring agency, the agency would have to provide three-and-a-half years of free monitoring.

The new law (i.e., amendments to the existing law) requires a rolling notification to individuals under certain circumstances (“A notice provided pursuant to this section shall not be delayed on grounds that the total number of residents affected is not yet ascertained. In such case, and where otherwise necessary to update or correct the information required, a person or agency shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information.” ). The amended law also requires that the notice to individuals must identify the name of the parent or affiliated corporation if the organization that experienced a breach of security is owned by another person or corporation.

The amended law includes a new requirement to inform the state regulators “whether the person or agency maintains a written information security program.” Massachusetts regulations currently require “[e]very person that owns or licenses personal information about a resident of the Commonwealth [to] develop, implement, and maintain a comprehensive information security program.” 201 CMR § 17.03(1).

Credit reporting agencies will be required to provide a “security freeze” free of charge when a consumer requests it, and third parties to gain consumers’ written consent before obtaining credit reports for non-credit purposes. If someone requests a credit freeze from one credit agency, that agency would be required to tell them how to contact the other major credit agencies.

Upon request, a credit agency would be required to disclose what is in someone’s credit history and who the agency has provided a credit report to within the past six months, and up to two years for employment purposes.

A credit agency could not charge more than $8 for a copy of a credit report and could not charge at all if someone were turned down for a job, home rental or insurance due to poor credit during the past 60 days. The law sets out rules for disputing credit reports.

In signing the amendments into law, the Massachusetts Governor stated, “The improvements made to Massachusetts laws in this legislation are necessary to protect consumers from the consequences of data breaches that could expose personal information and to give consumers more control over their data and how it is used.”


If your business is presently or may soon be involved in data breach litigation in the United States, email us at or telephone us toll-free in the United States at 800-756-2143 to find business litigation contingency lawyers who may handle your data breach litigation matter on a contingency basis. – The Practical Solution For Business Litigation