Seth Berman

This month marks the two–year anniversary of the historic Equifax data breach that left 150 million Americans’ sensitive personal information exposed. After the breaches occurred, legislators, regulators and consumer groups called for new processes to ensure that the mistakes Equifax made when handling its breach of personal identifiable information never happen again. The good news? Some state legislators have begun to take action.  

In the absence of a generally applicable federal data breach statute, most data breaches are governed by the laws of the states in which the impacted individuals live, not the state in which the offending company resides. Although the Equifax breach has not resulted in any new federal data breach laws, several states, including Massachusetts, have augmented their data breach reporting requirements.  

What’s in the Latest Amendment 

In passing an amendment to its existing data privacy law, Massachusetts joins California, Connecticut and Delaware in requiring a firm provide free credit monitoring or identity theft protection services to victims following a breach that disclosed a Social Security number it held. The amendment also requires that organizations provide clear instructions on how to sign up for the service and prohibits requiring an impacted resident to waive their right of legal action as a condition of using the services – a move specifically included in response to Equifax’s aborted attempt to force consumers to make this choice.  

Nehal Khorraminejad

While some state regulators have been pushing for organizations to offer two years of free credit monitoring services, Massachusetts is requiring organizations that suffer a breach in which personal identifiable information was disclosed to offer at least 18 months of free credit reporting. Credit reporting agencies, such as Equifax, dealing with breaches must provide monitoring for a much longer period – 42 months.  

The changes to the cybersecurity law also promoted greater transparency between companies and consumers. Organizations are expected to better communicate with individuals about breaches, including reporting who was responsible for the breach (if known), the type of personal identifiable information leaked and, if applicable, the name of the parent corporation of the entity reporting a breach.  

The amendments also require that after a breach affecting Massachusetts residents, organizations must provide enhanced information to the commonwealth’s regulatory bodies: the Massachusetts attorney general and the director of consumer affairs and business regulation.  

When disclosing the breach, the organization must share all the same information that the consumers receive, including: 

• Whether it maintains a written information security program  as required by Massachusetts law. 
• The name, nature and address of the entity that experienced the breach of security, and the name and title of the person reporting the breach of security and their relationship to the entity that experienced the breach. 
• The name of the parent of the entity that experience a breach. 
• The type of personal information that was compromised.  
• The exact mitigation services to be provided, and any steps the entity has taken or plans to take in response to the incident.  

The amendment also states that one of the steps a firm takes after a breach ought to be updating its information security program.   

More Clarity on Breach Notifications 

One of the complications of dealing with a data breach is that different data breach laws specify different time periods after which a breach must be reported.  

As a policy matter, it makes sense to require companies to notify consumers as soon as possible, but that goal needs to be balanced against the reality that the full scope of an incident – or even certainty that an incident has occurred – is often not immediately clear. Companies would then need to conduct an investigation, and that can take some time.  

Massachusetts law had been unclear as to how long a company’s investigation could take. The new statute doesn’t specify a particular timeframe, but it does clarify that companies cannot delay notifications merely because the total number of affected individuals is not yet certain. This suggests that companies still have time to investigate the incident, but once they determine that a breach has occurred, they must alert any individuals whose data they know was involved without waiting to figure out if additional individuals also need to be notified.  

It remains to be seen whether this will more effectively protect consumers or if it will increase confusion if the change results in waves of notifications as investigations discover additional breached data. 

Overall, Massachusetts’ move demonstrates that legislators intend to remain at the forefront of efforts to protect their constituents’ security. This may well expand to more general regulations regarding consumer digital privacy, as the legislature considers enacting legislation along the lines of California’s recently enacted, but not yet in effect, Consumer Privacy Act.  

Seth P. Berman is a partner and leads Nutter’s privacy and data security practice group. Nehal Khorraminejad is an associate in Nutter’s litigation department.