Written By ESR News Blog Editor Thomas Ahearn
On April 11, 2019, amendments passed in 2018 by the Massachusetts legislature to the Data Breach Notification Law will take effect and impose additional requirements on companies covered by the law that suffer a data breach involving the personal information of Massachusetts residents.
Massachusetts Data Breach Notification Law
The Data Breach Notification Law requires businesses that own or license the personal information of Massachusetts residents of to notify the Office of Consumer Affairs and Business Regulation (OCABR) and the Office of Attorney General when they know – or have reason to know – of a data breach.
Businesses must provide notice if they know – or have reason to know – that the personal information of a Massachusetts resident was acquired or used by an unauthorized person, used for an unauthorized purpose, and also notify the consumers with information at risk. Additional requirements will include:
- Businesses providing notice of a data breach to the Massachusetts Attorney General and the OCABR must provide additional information including the type of information compromised, the person or people responsible for the data breach if known, and whether the company maintains a written information security program (WISP).
- Businesses providing notice of a data breach to consumers must identify any parent or affiliated corporation, and cannot delay the data breach notice to affected consumers on the basis that the number of people affected has not yet been determined.
- Businesses providing notice of a data breach also must offer credit monitoring services at no charge for at least 18 months – 42 months if the company is a consumer reporting agency (CRA) – if the Social Security Numbers (SSNs) of consumers were disclosed in a data breach.
- Businesses providing notice of a data breach that offer credit monitoring services to affected consumers cannot request those individuals to waive the right to bring a private action in exchange for those services.
In January 2019, Massachusetts Governor Charlie Barker signed House Bill No. 4806, An Act Relative to Consumer Protection from Security Breaches into law which amended provisions of the state’s data breach notification law. More information about the requirements for data breach notifications is available here.
The massive data breach suffered by nationwide credit reporting agency Equifax in September of 2017 that impacted more than 145 million Americans – almost half of the country – was a wakeup call for all industries to improve their information security, including CRAs that perform background checks.
Data breach concerns have led to an increased focus on information security for background screening firms in 2019, and this trend was chosen by leading global background check provider Employment Screening Resources® (ESR) as first on the list of “ESR Top Ten Background Check Trends” for 2019.
In the wake of well publicized data breach incidents, employers conducting background checks are looking for screening firms to have third-party certifications such as SSAE 18 SOC 2® Type 2 reports and accreditation from the National Association of Professional Background Screeners (NAPBS).
In the European Union (EU), U.S. screening firms must comply with the EU-U.S. and Swiss-U.S. Privacy Shield Framework that govern the transfer of personal data from the EU and Switzerland to the U.S. and the General Data Protection Regulation (GDPR) that protects the personal data of EU citizens.
ESR Ensures Data Breach Protection During Background Checks
Employment Screening Resources® (ESR) – a leading global background check provider – is accredited by the NAPBS, undergoes annual SOC 2® audits, participates in the EU-U.S. and Swiss-U.S. Privacy Shield Framework, and has fully compliant GDPR technology. To learn more about ESR, visit www.esrcheck.com.
NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.
© 2019 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.