On January 10, 2019, Massachusetts Governor Baker signed “An Act relative to consumer protection from security breaches” (House Bill No. 4806), which added new requirements and obligations for companies that experience a data breach.  The new requirements impose expanded content requirements for breach notices provided to Massachusetts state agencies, including contact and other information for the person reporting the breach of security, identification of the person responsible for the breach, and the types of personal information compromised.

The new law also expands content requirements for breach notifications to affected individuals, including that there is no charge for a security freeze, a description of mitigation services, and the identity of a parent company if the breached company is a subsidiary.  Sample notices to individuals must be filed with the attorney general and with the office of consumer affairs and business regulation, which must post the sample notice on its website.

Breach notices cannot be delayed on the grounds that the total number of affected individuals has not been ascertained.

In addition, in breaches involving Social Security numbers, free credit monitoring services must be offered to affected individuals for at least 18 months; at least 42 months of free services where the breach involves a consumer reporting agency.  Consumers cannot be required to waive rights to sue as a condition of accepting the services.