Massachusetts Legislature Passes Comprehensive Consumer Data Security Legislation

BOSTON – The Massachusetts House of Representatives and Senate voted unanimously Wednesday to pass House Bill 4806, An Act relative to consumer protection from security breaches. The bill represents a compromise reached between House and Senate conference committee negotiators, led by Joint Committee on Consumer Protection and Professional Licensure Chairs Tackey Chan (D-Quincy) and Barbara L’Italien (D-Andover), along with members Representative Dan Hunt (D-Boston), Representative Randy Hunt (R-Sandwich), Senator John Keenan (D-Quincy), and Senator Ryan Fattman (R-Webster). The compromise builds on recently passed federal regulations mandating the removal of all fees for consumers who elect to place, lift, or remove a credit freeze from a consumer reporting agency.  The Massachusetts legislation also updates the state’s laws to reflect modern technological processes, updates notification requirements, and mandates free credit monitoring services if a security breach occurs.

“We are proud to have Massachusetts continue to lead in providing comprehensive consumer protections in cases of security breaches,” said Chairman Tackey Chan. “Each of us entrust our information to others to protect and this legislation gives consumers new resources and greater awareness of the tools they can take advantage of to protect their credit. Through the dedicated efforts of the entire committee and conference members, we were able to work through a very comprehensive bill involving federal and state laws and regulations and are extremely proud of the legislation passed today.”

H4806 updates laws to include electronic and verbal communication procedures for consumers’ interactions with consumer reporting agencies, updates public notice requirements through the Attorney General’s Office and the Office of Consumer Affairs and Business Regulation, requires additional credit monitoring services be provided in cases of security breaches, and mandates that credit bureaus must disclose how to access a free credit freeze before offering any paid services. Following a breach of a business entity, which includes social security numbers, Massachusetts residents who were affected will receive free credit monitoring services for 1.5 years; if a breach occurs at a consumer reporting agency, Massachusetts residents will receive free credit monitoring services for 3.5 years. Under this legislation, breached parties will be required to disclose their parent or affiliated corporation to consumers, as well as information about where the breach occurred, in order to increase transparency.

“The Equifax data breach affected many South Shore residents and was a wake-up call that our consumer protection laws needed to be strengthened,” said Senator John Keenan. “I am thankful to Representative Chan and Senator Barbara L’Italien for their dedication and effective leadership on this issue. Through this legislation, Massachusetts’ laws are current with technology, include strong credit freeze provisions, stringent notice of breach requirements and access to fair credit monitoring, all to provide greater protections to consumers.”

“In the wake of the Equifax breach, we have learned that our personal credit information is more vulnerable than ever. This bill empowers consumers to better understand their credit reports and helps them take action to protect themselves when their information has been compromised,” said Representative Dan Hunt. “It has been a pleasure to work with Chairman Chan, Senator Keenan, and our fellow conferees on such a vital consumer protection issue.”

The Joint Committee on Consumer Protection and Professional Licensure has been working to address the growing issue of data security since the Equifax data breach went public in September 2017, and the legislation passed this week represents months of research and discussions with stakeholders and fellow legislators to address the complex topic. The legislation builds on federal regulations that were passed by Congress in late May, after the conference committee had begun negotiations to reconcile the House and Senate bills. Under federal law, consumer reporting agencies are prohibited from charging any fees to a consumer who elects to place, lift, or remove a credit freeze and requires consent from a consumer for access to their consumer credit report. After a request to place a security freeze, credit bureaus must comply within one day of receiving the request, and if a consumer requests to remove a freeze, credit bureaus must comply within one hour. 

Federal law will go into effect September 21, 2018, while the state law will go into effect 90 days after the bill is signed by the Governor. More information about federal and state data security protections can be found at and