ANA Seeks Changes to Massachusetts Data Breach Notification Law

Advertising Law

Still reeling from the enactment of the California Consumer Privacy Act (CCPA), the Association of National Advertisers (ANA) is pushing back against a proposed data breach notification bill in Massachusetts.

The legislation would amend existing state law to require covered entities to notify consumers and the state attorney general in the event of a data breach. Affected companies would be required to provide the AG with information such as the nature of the security breach, the number of residents affected by the incident, the type of personal information compromised (Social Security numbers, for example) and whether the company maintains a written information security program.

Companies would provide consumers with notice of their right to obtain a police report and details on how to request a security freeze, furnish them with the necessary information to request the freeze and notify them that the security freeze can be obtained free of charge. Companies would not be permitted to delay the notice to consumers on the ground that the total number of affected residents has not yet been ascertained. If necessary, the bill would require additional notice “as soon as practicable and without unreasonable delay” if the company learns of additional information.

Originally introduced as HB 4806, “An Act relative to consumer protection from security breaches” was passed by the state legislature last term. Governor Charles D. Baker vetoed the measure in August, however, and returned it to lawmakers with an amendment recommendation. Reintroduced as HB 4873 and passed by the Massachusetts House of Representatives, the proposed law is now pending before the state senate.

Before the measure progresses any further, the ANA offered some suggestions for improvement. In a letter to Massachusetts Senate President Karen E. Spilka, Senior Vice President for Government Relations Christopher Oswald warned state senators the ANA will oppose the bill unless it is amended.

“As presently drafted without a ‘harm trigger,’ HB 4873 would require unnecessary and repetitive notifications for non-harmful data incidents that will cause Massachusetts residents to ignore all notifications over time, ultimately putting them at greater risk,” Oswald wrote. Without a “harm trigger” or threshold in place, any data breach incident would require notification in Massachusetts, resulting in “over warning,” the ANA cautioned.

“Similarly, the requirement for ‘rolling’ notifications for data breaches require entities suffering a breach to notify consumers immediately after discovery and require continued, repetitive notifications into the future—even if the breach poses no risk of harm,” according to the ANA.

As currently drafted, the bill “imposes an unnecessary and costly burden on companies seeking to identify, investigate and remediate the causes of a breach” and “would severely impact companies with increased class action litigation risk from consumers that will not suffer a negative impact from a non-harmful breach,” Oswald wrote.

The ANA urged lawmakers to amend HB 4873 to add a “harm trigger” and eliminate the rolling notice requirement. “Indeed, if enacted as presently drafted, HB 4873 will harm Massachusetts consumers, not help them,” the ANA concluded.

To read the ANA’s letter, click here.

To read HB 4873, click here.

Why it matters: Originally introduced in the wake of the Equifax data breach in September 2017, the Massachusetts bill has already wound its way through both houses of the state legislature, up to the Governor’s desk and back down again. Now the ANA has indicated its concern about the lack of a harm trigger and the rolling notifications requirement found in the proposed law.