Clock's Still Ticking Despite Lack of Deadline in Mass. Breach Law
New amendments to Massachusetts' data breach notification law do not place specific time frames for notifying regulators. But lawyers said breach entities still need to provide notification as soon as possible.
January 22, 2019 at 09:30 AM
4 minute read
Massachusetts amended its data breach notification law to require the sharing of certain information with state regulators by an unspecified deadline when a breach occurs. However, don't let the unspecified time frame fool you, lawyers warned. Companies are now under a heightened pressure to notify regulators of breaches as soon as possible—with room to issue a revised notice later.
The measure set to go into effect by April 11 includes new language extending free credit monitoring and other rights to residents whose information was breached. Breached entities are also required to share more information in breach notification letters to the Massachusetts attorney general and director of consumer affairs and business regulation.
Such additional information includes the nature of the breach, number of Massachusetts residents affected, person responsible for the breach and information compromised. Companies also have to disclose whether they have a written information security program and the steps taken after the data breach, including updates to their written information security program (WISP).
What Massachusetts' data breach notification law doesn't specify is a time frame for notifying regulators. Instead, it says a notice “shall not be delayed on grounds that the total number of residents affected is not yet ascertained.”
Other states have enacted data breach notification laws and some include a 72-hour or 30-day deadline for companies to notify regulators. Such a bright-line provision can be contested, as the specific time a breach occurred may not be known immediately, noted Ogletree, Deakins, Nash, Smoak & Stewart shareholder Danielle Vanderzanden.
“'There is always room for dispute over the precise point in time that the fact of a breach was discovered,” explained Vanderzanden. “In the vast majority of instances, there is need for follow-up to determine if there's a breach.”
Lawyers said the unspecified deadline for notification doesn't allow companies to be complacent. Instead, the amendment's language allowing companies to update their notification signifies Massachusetts wants immediate initial notification, and updates to notifications are acceptable and perhaps expected.
“I think there's a little more flexibility in the Massachusetts statute that affords entities the ability to do more thorough investigations before making their breach notification, but I point out again that you can't initially delay and claim you don't know the full extent,” said William Rogers of Boston-based Prince Lobel Tye. “[It] is not a legitimate excuse.”
“[At] that point it turns from an incident to a breach, where protected information was disclosed to a third party, I would say in every incidence it is in a company's interest to provide required notification as promptly as possible,” Vanderzanden added. “There's no magic bell in the Massachusetts statute, but as soon as a company [knows] that an individual's data is at risk, it's important to provide notice.”
Whereas the new amendments may not provide definite deadlines for breach notification, it does implicitly require companies to have a written information security program in place prior to a breach.
Although the general requirement to have a written information security program, also known as WISP, went into effect in 2010, lawyers contacted by Legaltech News said some companies still aren't in compliance.
“First thing I would tell, and I have told my clients is as the law specified in 2010, you have to maintain a written WISP,” said Rogers. “A WISP requires entities to maintain privacy and security in accordance with specified administrative and physical and technical safeguards. Unfortunately, what we see nine years later, not all organizations that should have a WISP have a WISP.”
Penalties for companies that have experienced a breach or consequences for non-notification aren't listed in the amendments. However, lawyers said, companies may feel regulators' wrath if they have a breach with no WISP enacted beforehand.
“If you have a breach and you don't have a WISP, I think you can anticipate a strong reaction and enforcement action for not having a WISP,” Rogers said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250