Updates to MA 201 CMR 17 Data Breach Law

Derek Boczenowski
Feb 1, 2019 1:00:00 PM


The Laws, they are a’ changin’…

…to paraphrase Bob Dylan. And I’m speaking about privacy and breach laws. It would seem that every other day we hear of another set of customer data being compromised at another company. It could be just name and address, but it could be phone number, Social Security Number, bank account information, and more.

To this end, state, federal, and even governments from other countries have started to enact regulations to try to not only give customers the ability to know what data has been collected, but also what these companies need to do in the seemingly inevitable chance of a compromise occurring. The latest such mandate comes from the state of Massachusetts, who has modified their Data Breach Notification Law.

These laws vary from state to state, but they all attempt to guide organizations by requiring them to perform a set of tasks in the case of a data compromise. The amended Massachusetts legislation was signed on January 10th, and takes effect beginning on April 11th, 2019. Here are some of the increased requirements that will be taking effect:

  • If the breach contains a Social Security Number, the company must provide free credit report monitoring for at least 18 months. – We’ve seen plenty of companies do this as a gesture of good will. In April, it becomes a mandatory requirement. They also cannot ask the customer to waive rights to sue as part of the credit monitoring offer. Currently only California, Connecticut, and Delaware have this requirement.
  • The breach must be reported to the Attorney General and Office Of Consumer Affairs. They must also report if they currently have a WISP (Written Information Security Program). – The WISP requirement isn’t new, it came about 10 years ago as part of Mass 201 CMR 17. However, it was very difficult to enforce. Having to show evidence of a WISP after the breach is an easy way for the state to investigate and levy fines for not being compliant.
  • Businesses can no longer wait for the entire breach to be discovered before notification begins. – Many companies wait until an investigation is complete before disclosing a breach to customers, allowing them to only provide a single notification. If the breach investigation drags on and discovers additional breached data, it is no longer acceptable to wait to notify users.
  • If a company that suffers a breach is owned by another company, notification to the breach customer must include the parent company. – That’s right, if Lucasfilm gets breached by an angry Star Wars fan and he steals data, the breach notification would need to include the Walt Disney Company in the notice.

Based on the changes coming, it would be a wise course of action to take a look at your company and its current security posture. Do you have a written information security program (WISP)? Do you have your own breach notification process, either by itself or included in your incident response plan? Have you had a recent audit of your information security controls to test their effectiveness? Like a data compromise itself, these changes are not a matter of if, but when. It pays to be informed and prepared. Contact us today to learn how we can assist your organization in preparing for these upcoming changes!

You May Also Like

These Stories on Compliance

Subscribe by Email

No Comments Yet

Let us know what you think