On January 10, 2019, Massachusetts Governor Charlie Baker signed a new law that amends its data breach reporting law, and requires credit reporting agencies such as Equifax to provide a free credit freeze to consumers.  The new law, “An Act Relative to Consumer Protection from Security Breaches,” also requires companies to offer up to three years of free credit monitoring to victims of a security breach, and force companies to disclose breaches in a timely and public notification.

For businesses reporting data breaches, the type of information that must be provided to the state have been expanded, to now include:

  • the name and address of the person or agency that experienced the breach of security
  • name and title of the person or agency reporting the breach of security
  • their relationship to the person or agency that experienced the breach of security
  • the type of person or agency reporting the breach of security
  • the person responsible for the breach of security, if known;
  • the type of personal information compromised, including, but not limited to, Social Security number, driver’s license number, financial account number, credit or debit card number or other data
  • whether the person or agency maintains a written information security program; and
  • a report to the Attorney General and the Director of Consumer Affairs and Business Regulation certifying their credit monitoring services comply with this newly amended law.

Breaches involving Social Security numbers will now have additional requirements:  credit monitoring services at no cost for a period of not less than 18 months (42 months if it was breach involving a
consumer reporting agency.”

And if the person or agency that experienced a breach of security is owned by another person or corporation, the notice to the consumer must now include the name of the parent or affiliated corporation.