The Governor of Massachusetts has just signed into law amendments to the state’s data breach notification law. The amendments will go into effect April 11, 2019. Under the amended law, companies whose breaches involve Social Security numbers must provide free credit monitoring services to affected individuals. The services must last 18 months (42 months if the breached company is a credit reporting agency). Companies can’t require individuals to waive their rights to sue in order to get free credit monitoring and must certify to the state that the services provided comply with the law.

The amended law includes new requirements for consumer breach notices. Those notices must now describe any required credit monitoring services and identify a breached company’s parent company if it has one. A company won’t be able to delay sending notices while it identifies all affected consumers, but must send notices on a rolling basis. The amended law also requires more information in notices to state regulators. Breach notices to the two state regulators must now identify the person responsible for the breach (if it is known), the person reporting the breach, and the types of personal information compromised. Notices must also describe the steps taken by the company after the breach—including whether the company has revised its written information security program.

Putting it Into Practice: Companies with a nationwide incident response plan should keep in mind this expanded (18) month credit monitoring requirement.