By Marylou Fabbo and Andrew Adams

Even employers that one would expect to have highly sophisticated data protection systems remain vulnerable to data breaches – just last year Facebook discovered a security issue that allowed hackers to access information that could have allowed them to take over more than 50 million accounts.  Still, breaches aren’t just the result of criminal activity, hacking, or viruses.  They also occur when an employee inadvertently e-mails sensitive information to the wrong person or email address.  Organizations also are vulnerable to disgruntled employees who choose to take documents containing personal information with them when they leave employment.  We’ve had a handful of cases in which a terminated employee submitted confidential personal information about a client’s customers to the Massachusetts Commission Against Discrimination in support of his/her claim.  (On a side note, the MCAD found a Lack of Probable Cause and dismissed all of those cases.)  Consistent with the ever-growing issue of data breaches, employers’ obligations under the state’s data breach law recently have been expanded to provide additional protections for those whose information may have gotten into the hands of the wrong person.

The Law

In 2007, Massachusetts passed “An Act Relative to Security Freezes and Notification of Data Breaches,” commonly known as the “Data Breach Notification Law.”   In 2019, Massachusetts amended the Data Breach Notification Law.  Under that law a breach is defined as the unauthorized acquisition or use of a Massachusetts resident’s sensitive personal information that carries a substantial risk of identity theft or fraud.

Certain notifications must be issued if one or more of the following data elements are obtained by an unauthorized individual along with an individual’s first name and last name or first initial and last name:

• Social Security number;
• Driver’s license number;
• State issued ID card number; and/or
• Financial account number, or credit/debit card number, with or without any required security code, access code, personal identification number or password that would permit access to a resident’s financial account.

Information to Be Provided to Attorney General and Office of Consumer Affairs

Within a reasonable amount of time after either the discovery of a breach or knowledge that personal information was obtained, the business or entity that was breached must notify both the Office of Consumer Affairs and Business Regulation and the Attorney General’s Office of the breach.  The notification must include all of the following:

• A detailed description of the nature and circumstances of the breach of security or unauthorized acquisition or use of personal information;
• The number of Massachusetts residents affected as of the time of notification;
• The steps already taken relative to the incident;
• Any steps intended to be taken relative to the incident subsequent to notification; and
• Information regarding whether law enforcement is engaged in investigating the incident.

Additionally, under Massachusetts law, companies who store or use personal information about a MA resident must develop a written, regularly-audited plan to protect personal information. Organizations that experience a breach must also report whether they have that Comprehensive Written Information Security Program, commonly referred to as a “WISP.” 

Breach Notice to Massachusetts Residents

Notice to the Massachusetts residents whose information was breached must also be provided when there is a data breach and must include all of the following information:

• The right to obtain a police report;
• How to request a security freeze at no charge—with information on how to do it;
• Information on complimentary credit monitoring services; and
• And the name of the parent and subsidiary organizations.

While the above information must be included, it is impermissible to set forth the nature of the breach or unauthorized acquisition or use and the number of MA residents affected.

No Delay in Notice

As mentioned before, companies with a breach are required to notify affected individuals “as soon as practicable and without unreasonable delay.”  However, unlike the earlier version of the law, the amended law now requires what is essentially a rolling notification period beginning the moment the breach is discovered.  That means that individual residents must be notified as soon as practicable and without unreasonable delay, even if the full extent of affected residents has yet to be determined. 

Disclosure of Parent or Affiliated Corporation

Companies are also required to provide information on parent and affiliated corporations.  Specifically, if the employer that has a breach is owned by a separate entity, the notice letter to the affected individual must specify the name of the parent or affiliated corporation. 

Credit Monitoring Services

Costs associated with a breach will be on the rise.  That’s because when a breach involves social security numbers, the organization that experienced the breach must offer free credit monitoring services for 18 months (or 43 months if a consumer reporting agency) through a third-party vendor at no cost to the affected party.  As noted above, in the initial notice to the individual whose information has been breached, a company must also include all necessary information on credit monitoring services and how to put a security freeze on his or her consumer credit report.  Individuals are entitled to this free service – companies cannot ask individuals to waive their right to a private action as a condition of receiving the credit monitoring services.  A full listing of the changes which took effect on April 10, 2019 and frequently asked questions can be found here.

Reducing Your Risk

If you don’t have a WISP in place, Skoler Abbott attorneys can help you draft one, and, if you suspect you may have a breach, we can help you draft required notices and put other damage-control measures in place.