Massachusetts amended its data breach notification law to require the sharing of certain information with state regulators by an unspecified deadline when a breach occurs. However, don't let the unspecified time frame fool you, lawyers warned. Companies are now under a heightened pressure to notify regulators of breaches as soon as possible—with room to issue a revised notice later.

The measure set to go into effect by April 11 includes new language extending free credit monitoring and other rights to residents whose information was breached. Breached entities are also required to share more information in breach notification letters to the Massachusetts attorney general and director of consumer affairs and business regulation.

Such additional information includes the nature of the breach, number of Massachusetts residents affected, person responsible for the breach and information compromised. Companies also have to disclose whether they have a written information security program and the steps taken after the data breach, including updates to their written information security program (WISP).

What Massachusetts' data breach notification law doesn't specify is a time frame for notifying regulators. Instead, it says a notice “shall not be delayed on grounds that the total number of residents affected is not yet ascertained.”

Other states have enacted data breach notification laws and some include a 72-hour or 30-day deadline for companies to notify regulators. Such a bright-line provision can be contested, as the specific time a breach occurred may not be known immediately, noted Ogletree, Deakins, Nash, Smoak & Stewart shareholder Danielle Vanderzanden.

“'There is always room for dispute over the precise point in time that the fact of a breach was discovered,” explained Vanderzanden. “In the vast majority of instances, there is need for follow-up to determine if there's a breach.”

Lawyers said the unspecified deadline for notification doesn't allow companies to be complacent. Instead, the amendment's language allowing companies to update their notification signifies Massachusetts wants immediate initial notification, and updates to notifications are acceptable and perhaps expected.

“I think there's a little more flexibility in the Massachusetts statute that affords entities the ability to do more thorough investigations before making their breach notification, but I point out again that you can't initially delay and claim you don't know the full extent,” said William Rogers of Boston-based Prince Lobel Tye. “[It] is not a legitimate excuse.”

“[At] that point it turns from an incident to a breach, where protected information was disclosed to a third party, I would say in every incidence it is in a company's interest to provide required notification as promptly as possible,” Vanderzanden added. “There's no magic bell in the Massachusetts statute, but as soon as a company [knows] that an individual's data is at risk, it's important to provide notice.”

Whereas the new amendments may not provide definite deadlines for breach notification, it does implicitly require companies to have a written information security program in place prior to a breach.

Although the general requirement to have a written information security program, also known as WISP, went into effect in 2010, lawyers contacted by Legaltech News said some companies still aren't in compliance.

“First thing I would tell, and I have told my clients is as the law specified in 2010, you have to maintain a written WISP,” said Rogers. “A WISP requires entities to maintain privacy and security in accordance with specified administrative and physical and technical safeguards. Unfortunately, what we see nine years later, not all organizations that should have a WISP have a WISP.”

Penalties for companies that have experienced a breach or consequences for non-notification aren't listed in the amendments. However, lawyers said, companies may feel regulators' wrath if they have a breach with no WISP enacted beforehand.

“If you have a breach and you don't have a WISP, I think you can anticipate a strong reaction and enforcement action for not having a WISP,” Rogers said.