CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘WISP’

Massachusetts’ Will-o’-the-WISP

Posted on: April 24th, 2019

By: Zach Moura

Massachusetts revised its data breach notification law, effective April 10, 2019, to change the minimum standards for what companies should include in a Written Information Security Plan, or WISP. Companies that experience a data breach incident must now confirm in their breach notice to the Massachusetts Attorney General whether the company maintains a WISP and identify any steps taken or planned to take relating to the incident, including updating the WISP. The requirements apply to companies that handle personal information belonging to Massachusetts’ residents no matter where the company itself is located.

The revisions also reshape the requirements for notifications to impacted individuals. In data breach incidents in which Massachusetts residents’ Social Security numbers are exposed, Massachusetts now requires companies to offer 18 months of free credit monitoring services to impacted individuals. Entities must also now certify to the state’s Attorney General and Office of Consumer Affairs and Business Regulation (“OCABR”) that the credit monitoring services comply with the statute, and provide the name of the person responsible for the breach of security, if known. The revisions also obligate the OCABR to publicly post the sample notice on its website within one business day.

The new statute calls for rolling and continuous notifications to all impacted individuals as they are identified, rather than allowing a business to first determine the total number of impacted individuals before notifying them all at the same time. And if an investigation reveals more information on the data breach that, if known, would have been provided to the impacted individuals in the original notice, additional notices must be sent. Entities must also now identify any parent or affiliated corporation in the notification letter.

For any questions about the above, or whether a WISP complies with Massachusetts law, please contact Zach Moura at [email protected].

Bold New Changes to Massachusetts’ Data Breach Notification Law

Posted on: March 15th, 2019

By: Michael Kouskoutis

Effective April 11, 2019, Massachusetts’ data breach notification law will compel notifying entities to follow several additional and unprecedented requirements when responding to a data breach.

First, the notifying entity must report to the state’s Attorney General whether it has implemented a written information security program (WISP). In the event the entity has no WISP in place, follow up inquiries and perhaps even penalties may result.

If applicable, notifying entities will also have to inform affected individuals of the name of their parent corporation or affiliated companies, which could generate negative publicity for companies whose subsidiaries suffer a data breach. Notably, the statute provides no threshold level of ownership before triggering this provision.

Further, the entity will not be permitted to delay notifications on the ground that the total number of residents has not yet been determined. In effect, the entity may have to issue breach notifications on a rolling basis instead of waiting for the investigation to conclude.

Lastly, Massachusetts’ Office of Consumer Affairs and Business Regulation will publish on its website the entity’s individual notification letter in addition to other details about the breach. It will also assist Massachusetts residents in filing public records requests to the Attorney General to obtain state agency notification letters.

These changes are not the type we have seen other states make in recent years; Massachusetts is taking a very bold step towards a more involved notification procedure. We will be monitoring changes to other data breach notification laws to see whether other states follow Massachusetts’ lead. If you have any questions or would like more information, please contact Michael Kouskoutis at [email protected].