Skip to main content
Cyber Security

Update to Massachusetts Data Security Breach Reporting Law

By January 24, 2019No Comments

On January 10, 2019, the Governor signed Chapter 444 of the Acts of 2018 into law, resulting in important amendments to the state data security breach law, Massachusetts General Laws Chapter 93H (“Chapter 93H”).

Chapter 93H governs the breach reporting requirements for any “person” (defined by the statute as “a natural person, corporation, association, partnership, or other legal entity”) who maintains, stores, owns, or licenses “Personal Information” about a Massachusetts resident. Under Chapter 93H, Personal Information includes a Massachusetts resident’s first name or initial and last name, in combination with any one of the following: (a) Social Security Number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.

The recent changes to the law strengthen Chapter 93H’s breach reporting provisions, as follows:

A person whose breach of security or other security incident (as defined and described in Chapter 93H) includes residents’ social security numbers must offer such residents free credit monitoring services for at least eighteen months. This credit monitoring cannot be contingent on a resident’s waiver of his or her private right of action.
The breach report to the Attorney General’s Office (“AGO”) and the Office of Consumer Affairs and Business Regulation (“OCABR”) required by Chapter 93H must now include the following additional information that was not previously required:

  • The name and address of the person who experienced the breach of security;
  • The name and title of the person who is reporting the breach of security (if different than the person who experienced the breach), and such person’s relationship to the person who experienced the breach;
  • The type of person who is reporting the breach of security;
  • The person responsible for the breach of security, if known;
  • The type of Personal Information compromised;
  • Whether the person maintains a Written Information Security Program (“WISP”), as is required under Chapter 93H; and
  • A separate certification that the credit monitoring services of the person who experienced the breach comply with the new requirements (see #1 above).

The required breach notice sent to Massachusetts residents under Chapter 93H must now include the following additional information not previously required: (a) a statement that residents will not be charged anything for a security freeze; (b) a description of the mitigation services the person will provide (such as the credit monitoring described in #1 above); and (c) if applicable, the name of the parent organization of the person experiencing the breach of security. A copy of this resident notice must be provided to the AGO and OCABR.

Upon its receipt of a breach notification, OCABR is now obligated to promptly update and amend the information on its website to incorporate the breach information, and to post a copy of the breach notification letter sent to Massachusetts residents. In addition, the amendments make clear that copies of the breach notifications provided to the AGO/OCABR under Chapter 93H are subject to public records requests.
Persons governed by Chapter 93H should ensure that their WISPs and breach notification policies are complete and up-to-date, that they incorporate the amendments to Chapter 93H, and that in case of a breach of Personal Information, their reports and notices are timely and incorporate the required elements. This is especially important for health care providers whose breach notifications may need to comply with both Chapter 93H and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Up-to-date WISPs and breach notification policies are essential, as are timely response and notification in the event of a breach of security.

Please contact me at [email protected] or our support team at [email protected] with any questions or if you need assistance with your WISP by calling our office at 617-322-5155.

Tags:

Nicholas Salem

Nicholas Salem

As the CEO of BMIT, a leading managed IT services company, Nick Salem is responsible for providing strategic leadership and direction to the organization. With over 15 years of experience in the IT industry, Nick has a strong track record of driving business growth and improving operational efficiency through the use of technology.

Related Posts

Cyber Security

Navigating the Recent CrowdStrike IT Outages: How Boston Managed IT Is Here to Support You

FIX: Workaround Steps: ⁠Boot Windows into Safe Mode or the Windows Recovery Environment ⁠Navigate to the C:\Windows\System32\drivers\CrowdStrike directory ⁠Locate the file matching “C-00000291*.sys”, and delete it. ⁠Boot the host normally. Original Post: Today, the tech world is experiencing significant IT system outages, which are attributed to CrowdStrike. This incident has disrupted various industries, leaving many businesses scrambling to restore their operations. At Boston Managed IT, we want to assure you that we are closely monitoring the situation and are ready to assist you with any issues that may arise. What Happened? CrowdStrike, a renowned cybersecurity firm, faced a substantial disruption in its services earlier today. Initial reports suggest that the outages are linked to CrowdStrike's Falcon endpoint detection and response product issues. Specifically, the Falcon Sensor, a lightweight agent deployed on end devices, has been identified as a potential source of the problem. A vulnerability in the sensor allowed for its removal without proper authorization under certain conditions, leading to disruptions in security monitoring and…
Nicholas Salem
Nicholas SalemJuly 19, 2024
Cyber SecurityMicrosoft

Andres Freund and the Silent Guardians of the Internet

For all its seamless functionality, the internet is a complex and ever-evolving beast. Behind the scenes, countless heroes toil away, maintaining the digital infrastructure.
Nicholas Salem
Nicholas SalemApril 4, 2024
Cyber Security

Written Information Security Program (WISP) – What is it? Do I need it?

Massachusetts data security regulations went into effect in 2010 requiring every company that owns or licenses “personal information” about Massachusetts residents to develop, implement, and maintain a Written Information Security Program known as a WISP. Your WISP must contain certain minimum administrative, technical, and physical safeguards to protect “personal information”. Despite this requirement, many companies, particularly those not physically located in Massachusetts, have not done so. Historically, the absence of a WISP is something that went unnoticed, but that may no longer be the case due to a recent change in the Massachusetts breach notification law. Massachusetts has amended its data breach notification law to require organizations that experience a data security incident to notify the Massachusetts Attorney General and the Massachusetts Director of Consumer Affairs & Business Regulation whether the organization implemented a WISP. This new reporting requirement highlights both the legal and practical need to implement a WISP. What changed? Jason Wong @jasonhk1920 Effective as of April 11, 2019, organizations that experience a…
Nicholas Salem
Nicholas SalemMarch 20, 2023