What is the Massachusetts Data Breach Notification Law and How Should You Prepare for It?
Massachusetts recently created some big changes to its data breach notification law, and it’s imperative that every company knows how to fully comply with it before it comes into effect on April 11, 2019. Learning about it and preparing for it could potentially save you from many headaches and legal repercussions down the line.
What is the Massachusetts data breach notification law?
The Massachusetts data protection law is legislation that stipulates security requirements for just about any company that handles the private data of residents. The law is more formally known as “Standards for The Protection of Personal Information of Residents of the Commonwealth” (or 201 CMR 17.00). Similar legislation is under consideration in most other states.
The Massachusetts data breach notification law includes requirements for:
- Encryption of personal data.
- Retention and storage of both digital and physical records.
- Network security controls (firewalls, for example).
- Risk management policies and practices.
- Employee training.
- Adequate documentation of data breaches.
- Adequate documentation of any policy changes.
- Ensuring that any associated third-party providers who have access to the data maintain the same standards.
The Massachusetts data breach notification law replaces earlier legislation requiring organizations to notify individuals when a security breach put their data at risk. According to Daniel Crane, undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation, “Breach-notification laws deal with what happens after the horse leaves the barn.” Crane says that 201 CMR 17.00 is intended “to prevent the horse from getting out of the barn in the first place.”
What is changing about the new Massachusetts data breach law?
While there are several changes being made to the Massachusetts data breach notification law, there are two in particular that will end up impacting companies considerably.
- The first of which is that any company who has a data breach will need to offer victims of the breach free credit freezes and credit monitoring. This credit monitoring service must last for at least 18 months for most companies while consumer reporting agencies who experience a data breach must offer credit monitoring services for a minimum of 42 months.
When you consider that most credit monitoring services charge between $15-$25 a month per individual, it’s clear that this could add up very quickly.
- The organization that experienced the data breach will also need to file a report that will show that the credit monitoring services being offered comply with the new statute. This is to ensure that those affected by the breach receive adequate monitoring.
There is an additional change, which is really an update to what information is required in a breach notification.
Currently, any company that experiences a data breach must notify both the Director of the Office of Consumer Affairs and Business Regulation (OCABR) as well as the Massachusetts Attorney General. This notification must be “as soon as practicable and without unreasonable delay” and must include the nature of the data breach, the number of Massachusetts residents that were affected by it, and what the company is doing about the breach.
But now the notifications will now also need to include the following content:
- Name and address of the organization that experienced the security breach
- Name and title of the one reporting the data breach, the type of person or agency they are, and how they’re related to the organization that experienced the breach
- What kinds of personal information were compromised by the security breach
- If known, the person or entity who was at fault for the data breach occurring
- If the organization has a written information security program and if they are updating it
You’ll note that these Massachusetts data breach notification law requirements are very similar to GDPR, which is further proof that new regulations recently enacted including the Canada data breach law, California AB 375, and now Massachusetts are all adopting similar guidelines.
On top of this, the Massachusetts law is being changed to disallow an organization from delaying their breach notice by claiming that the number of individuals affected hasn’t been determined yet. Instead, the organization will need to send the notice regardless of whether they know how many people were affected by the breach.
Finally, the OCABR will be required to create an electronic copy of the notice sent to consumers and make it available on its website. Furthermore, the OCABR will also need to provide consumers with instructions on how to request a copy of the notice that was provided to the OCABR and the Attorney General by the organization that had its data breached.
Even if your company isn’t located in Massachusetts, you could still be affected by these impending changes. If your company experiences a data breach and if any of your customers reside in Massachusetts, then you will be required to comply with these changes.
How to Prepare with CSPi
While the law isn’t far off, you do still have time to prepare for the Massachusetts Data Breach Notification Law before it goes into effect. First and most importantly, you will need to update your organization’s current intrusion response and data breach response plan to not only make sure you know what actions to take but also to comply with these latest amendments to Massachusetts’ data breach notification law.
However, it is also likely that you will need to make better use, or squeeze more effectiveness out, of your network and data security tools. One of the main concerns with meeting industry compliance regulations with existing security tools is that their focus is largely on perimeter protection.
In fact, a recent Forrester survey put forth that up to 80% of east-west traffic today may be unmonitored, leaving a sizable gap on what activities are taking place across the network. However, to comply with these data privacy regulations, you need a strong and real-time grasp on the impact of any intrusion (real or not) against your critical assets.
Our ARIA Software-Defined Software (SDS) solution provides not only complete enterprise-wide network security but also protection of your high-value critical assets, like PII or PHI. With ARIA SDS all data traffic associated with your critical assets is monitored, and recorded as it moves through the network, including east-west traffic. In addition, data encryption keys are centrally managed and can be generated up to thousands per minute, protecting not only data-at-rest, but also the data used within applications or generated by.
In addition, our Myricom nVoy Series pairs seamlessly with ARIA to conduct breach identification, notification and provide the reporting needed to prove compliance with regulations like this new Massachusetts data breach notification law. Security teams can take advantage of packet-level recordings of all conversations between critical devices and data. With full line-rate packet capture with zero packet loss and extremely accurate timestamping, this technology provides the data needed to have complete visibility into the possible breach and its effect on critical data, such as PII or PHI.
With the level of intelligence provided by CSPi’s suite of Cybersecurity solutions security teams can complete a tightly focused breach investigation in mere hours—not days, weeks, or months – a dramatic improvement in breach response.
Want to know more about complying with regulations such as the Massachusetts data breach notification law? Please download our Data Privacy Regulations eBook today.
To learn more, visit www.cspi.com.
CSPi is a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights.
CSPI’s ARIA SDS platform uses a simple automated approach to protect any organization’s critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest. Our Myricom® nVoy Series appliances provide compliance assurance, automated breach verification and network monitoring enabled by the 10G dropless packet capture capabilities of our Myricom® ARC intelligent adapters.