Printer Friendly

New data breach law raises stakes.

Byline: Pat Murphy

When amendments to the state's data breach law went into effect last month, a credit monitoring remedy for Massachusetts residents grabbed the headlines. But experts say it's important not to overlook another significant change: Compromised entities now must comply with more demanding notice requirements.

When a breach has been identified, a business can't wait until a forensic expert has completed an investigation and determined precisely whose personal information has been compromised. The new law specifies that notice to a Massachusetts resident of a data breach "shall not be delayed on grounds that the total number of residents affected is not yet ascertained."

Further, the notice provided to the Attorney General's Office and other regulatory agencies must include more detailed information about the breach, notably whether the breached entity maintains a written information security program, as mandated by state regulations.


"If you're a company in Illinois, California or China and you have [personal] data belonging to Massachusetts residents, you're subject to this regulation."

Steven J. Bolotin, Boston


For lawyers, knowing the ins and outs of the new data breach notification law is more than a matter of advising clients on compliance. It's also a matter of self-interest. The personal data held by law firms is a prime target for hackers. Like any other business, law firms need to be prepared to comply with data breach laws.

"This is not just an IT issue, it's a risk-management issue," said Boston attorney Adam L. Littman.

Law firms should be "leading by example" by making data security a high priority, said Littman, a business litigator who also counsels clients on cybersecurity and data privacy issues.

Lawyers "are particularly vulnerable to damage to their reputation if they experience a breach," he added. "The last thing you want is to have to tell clients that their personal information has been compromised in a breach."

Extra-territorial reach

The new data breach notification law, H.4806, went into effect April 11 after being signed by Gov. Charlie Baker in January.

Steven J. Bolotin, a risk-management attorney who advises clients on their information technology and cyber practices, views the measure as an expansion of the state's existing data breach notification law, Chapter 93H.

He noted that the commonwealth's law is modeled after the General Data Protection Regulation adopted by the European Union, specifically with respect to having "extra-territorial" reach.

Massachusetts law "regulates the data no matter where it goes," he said. "If you're a company in Illinois, California or China and you have [personal] data belonging to Massachusetts residents, you're subject to this regulation."

Bolotin observed that the patchwork of data breach laws in the U.S. can be a real headache for lawyers.

"Imagine you are a five-person law firm and you have clients all around the country," he said. "Attorneys have this kind of [personal] information quite regularly. You're now subject to these regulations in every state in which you have a client headquartered."

Free credit monitoring

With the enactment of H.4806, Massachusetts joined California and Delaware in becoming the only states to require free credit monitoring for individuals victimized by breaches. Last year, Connecticut passed legislation requiring free identity theft prevention and, under certain circumstances, identity theft mitigation services for individuals whose personal information has been breached.

Littman said the new Massachusetts requirement may be the start of a trend, and foresees more states enacting free credit reporting requirements as part of their data breach laws.

The legislation amended the existing data breach law by adding G.L.c. 93H, 3A. The new law requires that breached entities provide at least 18 months of free credit monitoring services to residents who suffer a breach of security that includes a Social Security number. If the security breach involves a consumer reporting agency, the resident is entitled to a minimum of 42 months of credit monitoring.

Westborough's Matthew R. Fisher advises clients on security and privacy issues as part of his healthcare practice. Fisher said the new requirement doesn't impact his healthcare clients because most entities in that industry have for years offered credit monitoring in the event of a data breach.

"It's viewed as a nice 'olive branch' to offer," he said.

The statute further provides that an entity "that experienced a breach of security shall not require a resident to waive the resident's right to a private right of action as a condition of the offer of credit monitoring services."

Bolotin said it remains to be seen how that statutory language will be interpreted by the courts.

"It doesn't allow a waiver of requirements under the law. However, it does appear that it will still allow some measure of negotiation as to how any disputes over compliance with the law will be resolved," said Bolotin. "For example, it still may allow arbitration provisions to be enforced as long they are enforceable in court and they meet the basic fairness tests that have been recently applied to arbitration in consumer contracts."

He suggested that the change in the law presents an opportunity for companies to take a hard look at their insurance policies covering cybersecurity risks.

"There can be extreme variance as to what is and what is not covered under so-called 'cyber' policies," he said. "People buy cyber policies thinking they're set in the event they have damages to pay because of a data breach, only to find that they're only really covered for their own internal costs getting themselves back up and running."

Beefed-up notifications

The prior law required a breached entity to provide notice to the Attorney General's Office, state regulators and consumer reporting agencies of "the nature of the breach of security or unauthorized acquisition or use, the number of residents of the commonwealth affected by such incident at the time of notification, and any steps the person or agency has taken or plans to take relating to the incident."

The new legislation amends G.L.c. 93H, 3(b) by adding duties to report: (1) the name and address of the entity that experienced the breach; (2) the name of the entity reporting the breach and their relationship to the breached entity; (3) the "type" of entity reporting the breach of security; (4) the person responsible for the breach, if known; (5) the type of personal information compromised; (6) whether the breached entity maintains a written information security program; and (7) any steps taken or planned in response to the incident.

According to Littman, the changes suggest that state regulators were not satisfied with the notifications they were receiving under the prior law.

"They want to make sure notifications are more detailed and provide them with the information they need," he said.

Littman pointed out that the duty to report whether the breached entity has a "written information security program" raises regulatory compliance concerns.

A WISP sets out the administrative, technical and physical safeguards that a business uses to protect personal information. WISP requirements are defined by a regulation issued by the Office of Consumer Affairs and Business Regulation, 201 CMR 17.00. Since 2010, every company that owns or licenses "personal information" about Massachusetts residents is required to develop, implement, and maintain a WISP.

According to Littman, this is a problem because some businesses do not have a WISP, haven't fully implemented a WISP, or have failed to update a WISP they implemented years ago.

"This is going to be a focal point for regulators, discovering who is in compliance and who is not," he said. "For businesses that are not on top of their WISP compliance obligations, this [legislation] is a cue that they need to ramp up their compliance."

Fisher said it will be interesting to see if breached entities start reporting that they either didn't have a WISP or didn't comply with a program that was in place.

"That would be a serious admission, and I suspect people will dance around it," he said.

With respect to the duty to provide notice to individuals affected by a breach, Littman found most notable the amendment to G.L.c. 93H, 3, which prohibits delay until the breached entity ascertains the extent of the breach and all those whose personal data was compromised. Such delays are a problem for affected individuals who need to respond quickly in the event of a breach in order to protect their credit, he said.

"The law now requires a breached entity to provide 'rolling notices' to residents," he said. "As soon as an entity knows a resident has been impacted by a breach, it's obligated to notify that resident. That means that companies now need to act more quickly. They can't wait until a breach has been fully investigated and send out a mass notice to everyone impacted."

Fisher said he was hopeful that quickly disseminating information about a data breach would be a net benefit, and he understood the argument that it might help the government identify broader cyber threats at an earlier stage.

"However, as soon as you disclose something, there are going to be all sorts of questions," said Fisher. "[A client] might want to have more definitive and concrete answers than might be readily available when you report more quickly. It's a difficult balancing act."

Copyright {c} 2019 BridgeTower Media. All Rights Reserved.
COPYRIGHT 2019 BridgeTower Media Holding Company, LLC
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2019 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Murphy, Pat
Publication:Massachusetts Lawyers Weekly
Date:May 9, 2019
Previous Article:Failure to confer on college choice doesn't justify child support modification.
Next Article:Co. president owes fiduciary duty to fired doctor/shareholder.

Terms of use | Privacy policy | Copyright © 2022 Farlex, Inc. | Feedback | For webmasters |