Massachusetts Updates Data Breach Notification Laws
posted Feb 12, 2019 by Daniel M. Andrea, CPA, CITP, CISA in the Global Tax Blog
Attention Massachusetts businesses….MA governor, Charlie Baker signed new legislation recently to amend the state’s data breach notification law. The new law is effective April 11, 2019 and will make changes to how your business deals with breaches. Read on.
What are the new MA data breach laws?
These laws typically outline provisions regarding…
- Who must comply with the law (businesses, data/information brokers, government entities, etc.),
- Definitions of personal information (name, social security number, drivers license or state ID, account numbers, etc.)
- What constitutes a breach (unauthorized acquisition of data, for example)
- Requirements for notice (timing, notification method, who must be notified)
- Exemptions (for encrypted information)
What has changed in MA?
Key updates to the state’s data breach notification laws include the following:
- Immediate Breach Notification- Businesses can no longer wait to provide breach notifications (even if the number of affected people has not been finalized). Businesses will now be required to provide notice as soon as a breach is discovered and to supplement the original notice with new information as it becomes available.
- Written Information Security Program (WISP)- Breach notices must be given to the state whether or not the individual or company maintains a written information security program (WISP). WISPs went into effect in 2010 in MA and require every company that owns or licenses personal information about MA residents to develop, implement, and maintain a written program outlining administrative, technical and physical safeguards to protect in the event of a breach. Before the new law takes effect in April, businesses without a WISP should make every effort to implement one, otherwise they’re likely to face extra scrutiny from regulators.
- Free credit reporting- If social security numbers are compromised during a data breach, the amendments require the business to offer affected individuals complimentary credit monitoring for at least 18 months (this increases to 42 months if the business who suffers the breach is a consumer reporting agency). In light of this, businesses should evaluate their existing data collection and retention policies to make sure that the only personal data they store is necessary to the operation of the business.
Do you need help reviewing your policies? We can help ensure that your business is doing all it can to prevent a cyber breach. Contact us.