BlogLine

Bold New Changes to Massachusetts' Data Breach Notification Law

3/15/19

By: Michael Kouskoutis

Effective April 11, 2019, Massachusetts’ data breach notification law will compel notifying entities to follow several additional and unprecedented requirements when responding to a data breach.
First, the notifying entity must report to the state’s Attorney General whether it has implemented a written information security program (WISP). In the event the entity has no WISP in place, follow up inquiries and perhaps even penalties may result.
If applicable, notifying entities will also have to inform affected individuals of the name of their parent corporation or affiliated companies, which could generate negative publicity for companies whose subsidiaries suffer a data breach. Notably, the statute provides no threshold level of ownership before triggering this provision.
Further, the entity will not be permitted to delay notifications on the ground that the total number of residents has not yet been determined. In effect, the entity may have to issue breach notifications on a rolling basis instead of waiting for the investigation to conclude.
Lastly, Massachusetts’ Office of Consumer Affairs and Business Regulation will publish on its website the entity’s individual notification letter in addition to other details about the breach. It will also assist Massachusetts residents in filing public records requests to the Attorney General to obtain state agency notification letters.
These changes are not the type we have seen other states make in recent years; Massachusetts is taking a very bold step towards a more involved notification procedure. We will be monitoring changes to other data breach notification laws to see whether other states follow Massachusetts’ lead. If you have any questions or would like more information, please contact Michael Kouskoutis at mkouskoutis@fmglaw.com.