Massachusetts data breach law amended: how it will affect employers

Recently, the Commonwealth of Massachusetts amended the Data Breach Notification Act, changing the requirements for businesses impacted by data incidents.

Under the amended act, businesses may not delay notifying regulators and customers of a data breach on the basis that the number of affected individuals has not yet been determined. Instead, notifications must be sent out “as soon as practicable and without unreasonable delay.” Should the number of affected individuals change, the initial notification may be updated; but a company can no longer delay notification for this reason.

Delaying notification of discovered data breaches has caused issues for companies and for individuals in the past. The Yahoo hack, which compromised the information of 500 million customers, was discovered by the company in 2014, but not reported until 2016. Equifax waited only six weeks to report the breach of an estimated 143 million customers; but was still considered negligent because the type of information stolen is exactly the information required to steal a person’s identity.

There is no set notification period stated in the Massachusetts law, as in similar notifications in other states. Colorado and Florida, for example, require that notification be distributed within 30 days of discovering the breach; other states with defined periods may require notifications within 45 or 60 days.

Many states, however, maintain an undefined requirement period like Massachusetts, stating instead that regulators and customers must be notified of a breach ‘without delay.’ While this may seem to give businesses greater flexibility in managing notifications, the lack of a set deadline may be more difficult to prove compliance, as it becomes a subjective interpretation of ‘unreasonable delay.’

Further changes to the Act require that organizations that suffer a data breach must provide free credit monitoring and free credit freezes to customers; and if the affected organization is a credit rating agency, it must provide 42 months of complementary credit monitoring services.

This reflects the state’s reaction to the Equifax breach in 2017, which compromised the personal data of an estimated 3 million Massachusetts residents.

PwC estimates that one-third of all companies in the U.S. have purchased some form of cyber insurance, and expects that a $2.5 billion market in cyber insurance premiums today will grow to $7.5 billion by 2020. While cyber insurance cannot protect a firm from a breach, it can help to mitigate any financial repercussions that result from a breach or hacking incident.

Many choices are available for cyber insurance providers, with over 170 insurers providing cyber protection for businesses and for individuals, up from 119 in 2015.

The top three cyber insurance providers in the U.S. are Chubb, an A++ rated provider of cyber insurance coverage for firms and for individuals; AIG, focusing on several cyber products for businesses; and XL Group, offering the first on-demand cyber insurance solution created specifically for SMBs.

It is critical for businesses to be aware of the potential risk posed to their own data by security vulnerabilities in third-party vendor systems. A study by the Ponemon Institute found that 61% of respondents have experienced a data breach that was initiated in third-party or vendor systems, an increase of 12% over 2016 numbers. To protect your data from a third-party breach, experts recommend that you require vendors to have adequate cyber insurance coverage (see below for sample insurance provision) and, additionally, conduct regular assessments of the security and privacy practices of all third parties, along with requiring notification when data is shared with additional parties by the vendor. 

As an employer in Massachusetts, it is critical to understand your obligations and requirements under the Data Breach Notification Law. If you are an employer with data security regulation concerns, The Brown Law Firm can help.  Call us at (617) 489-0817 for a confidential consultation.

Sample cyber risk/ privacy insurance provision:

Vendor shall obtain and maintain at its own expense the following cyber risk/ privacy insurance coverage purchased from a company or companies rated B+ or better by A.M. Best and licensed to do business in the following states [LIST STATES]:

 • cyber risk/ privacy insurance with limits of at least two million dollars ($2,000,000) each claim. [INCREASE TO AT LEAST $5M IF VENDOR WILL HAVE ACCESS TO PERSONAL INFORMATION]

Vendor will also name Company and its directors, officers, employees, and agents as an additional insured under the cyber risk/privacy insurance.

For the cyber risk/privacy coverage (i) any “insured vs. insured” exclusions will be modified accordingly to allow Company additional insured status without prejudicing Company’s rights under the policies; (ii) there shall be severability of the intentional conduct exclusions for the additional insureds; and (iii) there shall be an exception to any “breach of contract” exclusions for hold harmless agreements. Both policies will have a retroactive coverage date no later than the Effective Date and coverage shall be maintained for an additional period of three years following termination of the contract.

The cyber risk/privacy policy shall provide coverage for (i) liability incurred from alleged or actual theft, dissemination, and/or use of personal or confidential information and any related forensic costs, crisis management costs, investigation costs; (ii) network security liability arising from the unauthorized access to, use of, or tampering with computer systems, including hacker attacks or inability of an authorized third party to gain access to services, including denial of service, unless caused by a mechanical or electrical failure; (iii) liability arising from the introduction of a computer virus into, or otherwise causing damage to, a customer’s or third person’s computer, computer system, network, or similar computer related property and the data, software, and programs thereon; (iv) any government investigations resulting from the alleged or actual disclosure of personal or confidential information or network security liability event; and (v) non physical business interruption.

** This article is designed for general information only. The information presented at this site should not be construed to be formal legal advice or the formation of a lawyer/client relationship.

Boston Bar Assosiation