Massachusetts Changes Data Breach Notification Requirements
Posted on January 29, 2019
The Governor of Massachusetts has just signed into law amendments to the state’s data breach notification law. The amendments will go into effect April 11, 2019. Under the amended law, companies whose breaches involve Social Security numbers must provide free credit monitoring services to affected individuals. The services must last 18 months (42 months if the breached company is a credit reporting agency). Companies can’t require individuals to waive their rights to sue in order to get free credit monitoring and must certify to the state that the services provided comply with the law.
The amended law includes new requirements for consumer breach notices. Those notices must now describe any required credit monitoring services and identify a breached company’s parent company if it has one. A company won’t be able to delay sending notices while it identifies all affected consumers, but must send notices on a rolling basis. The amended law also requires more information in notices to state regulators. Breach notices to the two state regulators must now identify the person responsible for the breach (if it is known), the person reporting the breach, and the types of personal information compromised. Notices must also describe the steps taken by the company after the breach—including whether the company has revised its written information security program.
PUTTING IT INTO PRACTICE: Companies with a nationwide incident response plan should keep in mind this expanded (18) month credit monitoring requirement.
South Carolina’s Insurance Breach Notice Requirements Now In Effect
Posted on January 22, 2019
South Carolina now has specific breach and security requirements for insurance companies. The law applies to those licensed under the state’s insurance laws and went into effect January 1. Under the law, companies must tell the insurance regulator within 72 hours of determining that a breach occurred. Other breach requirements include conducting investigations and keeping records of incidents for at least five years. This new notice requirement does not exempt companies from South Carolina’s general breach notice law, which requires notice to impacted individuals. The law also includes several security requirements, which will become effective July 1. Among those are having a written information security program, understanding potential risks, and taking steps to manage the risks. The law also requires entities to take care when choosing vendors or other third parties. Companies must certify compliance with the law annually, beginning in February 2020.
PUTTING IT INTO PRACTICE: Insurance companies with general breach notice plans should keep in mind the need to notify the insurance regulator in South Carolina, as well as the upcoming security requirements. Among these is not only a written information security program, but also taking care when working with third parties.
  25 Eye on Privacy 2019 Year in Review