BOSTON – Governor Charlie Baker on Thursday signed into law House Bill 4806, An Act relative to protecting consumers from security breaches. Both branches of the Massachusetts Legislature initially passed the legislation unanimously this past July, however the Governor sent back an amendment with concerns over state agencies’ abilities to perform their statutory duties without conflicting with current state and federal the law. The final legislation takes these concerns into careful consideration, making adjustments to exempt certain agencies in order to ensure compliance with existing regulations.
The final legislation provides a comprehensive update to data breach reporting laws, with additional resources for consumers to utilize when breaches occur. This builds upon federal regulations that went into effect this past fall. The legislation:
bans fees to place, lift, or remove a security freeze through a consumer reporting agency;
requires companies to obtain written, verbal, or electronic consent from a consumer prior to obtaining their credit report;
if a security breach includes social security numbers, requires companies to contract with a third party to provide 18 months of free credit monitoring services, or 42 months if the breach occurs at a consumer reporting agency;
requires that affected residents be notified when a breach occurs and notices must be posted online through the Massachusetts Attorney General’s Office and the Massachusetts Office of Consumer Affairs and Business Regulations; and
requires additional disclosure to consumers about the security breach, particularly when a breach occurs at a company that is owned by a parent or affiliated corporation.
“As our world grows increasingly dependent on online industries and systems, protecting the personal information of consumers remains critical while also holding companies responsible for the vast amounts of information they collect. I am proud that Massachusetts residents will now have better tools to safeguard their information and will be more informed when breaches do occur,” said State Representative Tackey Chan (D-Quincy), House Chair of the Joint Committee on Consumer Protection and Professional Licensure. “With so many stakeholders involved over the past several months, I want to thank my colleagues in the House and Senate and the Governor for their thoughtful consideration and commitment to producing a strong piece of legislation for our constituents across the Commonwealth.”
For more information about state and federal data security protections and resources available to consumers, visit https://www.mass.gov/identity-theft-data-privacy-and-cyber-security and https://www.consumer.ftc.gov/.