Massachusetts to Require Credit Monitoring for Certain Data Breaches

Cybersecurity & Technology

As of April 11, 2019, Massachusetts will require organizations suffering a data breach that involves a resident's social security number to provide credit monitoring services (CM Services) at no cost to the resident.  If the organization is a consumer reporting agency, the CM Services must be provided for at least 42 months, while all other organizations must provide the CM Services for at least 18 months. The new law prohibits the organization from requiring a resident to waive a private right of action as a condition to the offer of the CM Services, and it requires the organization to certify to the Attorney General and the Director of Consumer Affairs and Business Regulation the organization's compliance with the CM Services requirement.

The new law contains other important changes to breach notification requirements in Massachusetts, such as new content requirements, a prohibition on delaying notice due to the total number of affected residents not yet having been ascertained, and a requirement that the notice include the name of any parent or affiliated corporation that owns the organization.  The new law also provides for the posting of breach-related information by the Massachusetts Office of Consumer Affairs and Business Regulation on the office's website.

Bobby Turnage leads Sands Anderson's Cybersecurity and Technology Team.  If you have questions about this post, or any data security or data breach issues please contact Bobby or one of our Cybersecurity and Technology Team members.

Subscribe for Updates

Subscribe to receive useful articles, legal updates and firm news to keep you informed and up-to-date on important issues and trends.

Sign Up

Media Contact

Rachel Lufkin
804.783.6799

Email Rachel 

Jump to Page

Sands Anderson Cookie Preference Center

Your Privacy

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek