New Massachusetts Data Breach Notification Law Passed

January 18, 2019


A new Massachusetts data breach notification law has been passed. The new legislation was signed into law by Massachusetts governor Charlie Baker on January 10, 2019, and will come into effect on April 11, 2019.

The new legislation updates current Massachusetts data breach notification law and introduces new requirements for notifications.

Under Massachusetts law, a breach is described as an illegal acquisition or use of confidential private information that carries a considerable risk of identity theft or fraud. Notifications should be issued if one or more of the following data elements are obtained by an illegal person together with an individual’s first name and last name or first initial and last name.

  • Social Security number
  • Driver’s license number
  • State issued ID card number
  • Financial account number, or credit/debit card number, with or without any required security code, access code, private identification number or password that would allow access to a resident’s financial account.

As with the earlier law, there is no set timescale for issuing breach notifications. They should be issued “as soon as is practicable and without unnecessary delay,” after it has been determined that a breach of private information has happened.

That said, one change to the timescale for issuing breach notifications is persons and businesses that have suffered a data breach can no longer wait until the total number of individuals impacted by the breach has been decided. The law states “In such case, and where otherwise essential to update or rectify the information required, a person or agency shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information.”

One prominent update to Massachusetts data breach notification law is the requirement to offer breach sufferers free credit checking facilities, as is the case in Connecticut and Delaware. The minimum term for free credit checking facilities is 18 months or, in the case of a consumer reporting agency, a minimum of 42 months.


One notable update to Massachusetts data breach notification law is the requirement to offer breach victims complimentary credit monitoring services, as is the case in Connecticut and Delaware. CLICK TO TWEET

Notifications are required to be issued to all persons impacted by the breach, the Office of Consumer Affairs and Business Regulation, and the Massachusetts Attorney General’s Office.

The Office of Consumer Affairs and Business Regulation and the Attorney General’s Office should be provided with a thorough description of the nature and conditions of the breach, the number of Massachusetts inhabitants affected, the steps that have been taken relative to the security breach, steps that will be taken in the future in reaction to the breach, and whether law enforcement is probing the breach. If the breach has been experienced by a parent company or affiliated business, the name of that business should be detailed in the notification.