In what's becoming a common, almost ubiquitous practice for many states, Massachusetts tweaked its data breach notification law late last week, adding in new protections for consumers, especially when it comes to credit freezes.

The law, An Act Relative to Consumer Protection From Security Breaches, was signed into law by the state's Governor Charlie Baker last Thursday.

One of the biggest changes to the law, HB 4806, requires companies to offer free credit monitoring services to victims for at least 18 months. If a credit monitoring service - like Equifax - is breached, the service will be required to contract with a third party to offer free credit monitoring for 42 months.

Under the law businesses that experience a data breach need to report the following to the state:

• The nature of the breach of security or unauthorized acquisition or use
• The number of residents of the commonwealth affected by such incident at the time of notification
• The name and address of 
the person or agency that experienced the breach of security
• Name and title of the person or 
agency reporting the breach of security, and their relationship to the person or agency that experienced the breach of security
• The type of person or agency reporting the breach of security
• The person responsible for the breach of security, if known
• The type of personal information compromised, including, but not limited to, social security number, driver’s license number, financial account number, credit or debit card number or other data
• Whether the person or agency maintains a written information security program
• Any 
steps the person or agency has taken or plans to take relating to the incident, including updating 
the written information security program. 


The law still doesn't provide a timeline for issuing breach notifications, only that it should be done "as soon as is practicable and without unreasonable delay following the discovery of a breach of security or unauthorized acquisition or use."

A new part of the law does however specify that data breach notifications can't be delayed if an organization isn't entirely clear how many residents are affected. In the event this is the case, the law says "a person or agency shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information."

The country's patchwork of state data breach notification laws are constantly changing, so much so that many legislators have urged Congress to adopt a national standard in recent years. The latest law, proposed last month, would invoke federal preemption of state and local regulations while addressing uniformity for data breach notifications.