Breached orgs now required to offer free credit monitoring

Fresh amendments have been made to Massachusetts’ data breach notification law, 16 months after nearly three million of the state’s residents were hit by the massive Equifax breach.

Among the changes to the Data Breach Notification Act, which came into force in July last year, organizations who fall victim to a data breach will be required to provide free credit freezes and 18 months of free credit monitoring to Massachusetts residents who are potentially impacted by the incident.

Importantly, it seems lawmakers in the Bay State have not been quick to forget about the Equifax mega-breach in 2017, for if a breach occurs at a credit rating agency, they will be forced to provide complementary credit monitoring services for 42 months.

In addition, the amended law prohibits a company from delaying notice of a breach on the basis that it has not determined the number of individuals affected. Instead, the organization must send out additional notices on a recurring basis, as necessary.

Financial institutions are also required to get consent before accessing or using a consumer’s credit report. And when a consumer requests a freeze, national credit reporting agencies must inform them about other reporting agencies that might also have files on them.

“I filed legislation to make it easier for victims of identity theft to freeze their credit reports,” says State Representative Jennifer Benson.

“In the wake of the Equifax breach last year, I worked with the Attorney General and advocates to strengthen the bill with further protections.

“Consumers in Massachusetts will now be empowered to take control of their credit data, and they’ll have more support to help them recover more quickly if their data is hacked or leaked.”

Organizations must issue notifications if an individual’s first name and last name, or first initial and last name are obtained by an unauthorized individual along with any one of several data elements: Social Security number, driver’s license number, state-issued ID card number, financial account number, or credit/debit card number.

These notifications must be issued “as soon as is practicable and without unreasonable delay”.

The new legislation, which will come into effect on April 11, hasn’t won universal approval.

The Association of National Advertisers (ANA) filed a letter in December opposing the bill for its lack of a “harm trigger” and for the requirement for rolling notifications – both of which, it said, could lead to “over warning” and “soon cause consumers to ignore every data breach notification they receive”.

While the bill has been making its way through the system, other states have started making moves to follow suit. This month, for example, a law has come into effect in Vermont requiring data brokers to notify state residents about security breaches.

Elsewhere, South Carolina has adopted the National Association of Insurance Commissioners’ Insurance Data Security Model Law, introducing strict breach notification and information security requirements for entities licensed by state insurance regulators.

The North Carolina Attorney General has also proposed major changes to the state’s breach notification law, including requiring notification for ransomware attacks.

“A number of the updates to the Massachusetts data breach notification law are not the typical changes we see made in many other states – for example, expanding the definition of personal information, establishing a set number of days by which notice must be provided,” says Joseph Lazzarotti of law firm Jackson Lewis.

“Organizations will need to revisit their overall incident response plans, as well as confirm their compliance with the state’s data security mandate, now nine years old.”