Massachusetts Data Breach Notification Law Amendments Take Effect April 11

Written By ESR News Blog Editor Thomas Ahearn

On April 11, 2019, amendments passed in 2018 by the Massachusetts legislature to the Data Breach Notification Law will take effect and impose additional requirements on companies covered by the law that suffer a data breach involving the personal information of Massachusetts residents.

Massachusetts Data Breach Notification Law

The Data Breach Notification Law requires businesses that own or license the personal information of Massachusetts residents of to notify the Office of Consumer Affairs and Business Regulation (OCABR) and the Office of Attorney General when they know – or have reason to know – of a data breach.

Businesses must provide notice if they know – or have reason to know – that the personal information of a Massachusetts resident was acquired or used by an unauthorized person, used for an unauthorized purpose, and also notify the consumers with information at risk. Additional requirements will include:

Businesses providing notice of a data breach to the Massachusetts Attorney General and the OCABR must provide additional information including the type of information compromised, the person or people responsible for the data breach if known, and whether the company maintains a written information security program (WISP).
Businesses providing notice of a data breach to consumers must identify any parent or affiliated corporation, and cannot delay the data breach notice to affected consumers on the basis that the number of people affected has not yet been determined.
Businesses providing notice of a data breach also must offer credit monitoring services at no charge for at least 18 months – 42 months if the company is a consumer reporting agency (CRA) – if the Social Security Numbers (SSNs) of consumers were disclosed in a data breach.
Businesses providing notice of a data breach that offer credit monitoring services to affected consumers cannot request those individuals to waive the right to bring a private action in exchange for those services.

In January 2019, Massachusetts Governor Charlie Barker signed House Bill No. 4806, An Act Relative to Consumer Protection from Security Breaches into law which amended provisions of the state’s data breach notification law. More information about the requirements for data breach notifications is available here.

The massive data breach suffered by nationwide credit reporting agency Equifax in September of 2017 that impacted more than 145 million Americans – almost half of the country – was a wakeup call for all industries to improve their information security, including CRAs that perform background checks.

Data breach concerns have led to an increased focus on information security for background screening firms in 2019, and this trend was chosen by leading global background check provider Employment Screening Resources® (ESR) as first on the list of “ESR Top Ten Background Check Trends” for 2019.

In the wake of well publicized data breach incidents, employers conducting background checks are looking for screening firms to have third-party certifications such as SSAE 18 SOC 2® Type 2 reports and accreditation from the National Association of Professional Background Screeners (NAPBS).

In the European Union (EU), U.S. screening firms must comply with the EU-U.S. and Swiss-U.S. Privacy Shield Framework that govern the transfer of personal data from the EU and Switzerland to the U.S. and the General Data Protection Regulation (GDPR) that protects the personal data of EU citizens.

ESR Ensures Data Breach Protection During Background Checks

Employment Screening Resources® (ESR) – a leading global background check provider – is accredited by the NAPBS, undergoes annual SOC 2® audits, participates in the EU-U.S. and Swiss-U.S. Privacy Shield Framework, and has fully compliant GDPR technology. To learn more about ESR, visit www.esrcheck.com.

NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

© 2019 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.

Cookie	Duration	Description
__hstc	5 months 27 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_parsely_session	30 minutes	This cookie is used to track the behavior of a user within the current session.
_parsely_visitor	1 year 1 month	This cookie store anonymous user idnetifier to determine whether a visitor had visited before, or if its a new visit.
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
cookies.js_dtest	session	No description
test	session	No description available.

Common Ways Prospective or Current Employees Sue Employers Under the FCRA

Critical Steps for Ex-Offenders to Get Back Into the Workforce

Common Ways Prospective or Current Employees Sue Employers Under the FCRA

Critical Steps for Ex-Offenders to Get Back Into the Workforce

Massachusetts Data Breach Notification Law

ESR Ensures Data Breach Protection During Background Checks