This month, the Governor of Massachusetts signed into law a number of amendments to current state data breach notification legislation. The law, titled “An Act relative to consumer protection from security breaches,” will impose new data breach notification requirements upon companies and mandates that Massachusetts residents receive credit monitoring services at no cost following a breach involving an individual’s Social Security number. The law also and prohibits a company from conditioning free credit monitoring services on a data breach victim’s acceptance of a mandatory arbitration clause. More specifically, the law states:
(b) A person that experienced a breach of security shall not require a resident to waive the resident’s right to a private right of action as a condition of the offer of credit monitoring services.
The Act was passed after a number of large data breaches occurred at companies such as Equifax and Marriott. In both instances, the companies initially offered data breach victims complimentary fraud monitoring services that included a mandatory arbitration provision. Following public outcry, each company indicated the arbitration clause would not apply to a victim’s right to pursue any legal claims related to the data breach in court. You may read more about the Marriott data breach in a previous Disputing blog post.
The new data breach provisions will take effect on April 11th.