Clock's Still Ticking Despite Lack of Deadline in Mass. Breach Law
New amendments to Massachusetts' data breach notification law do not place specific time frames for notifying regulators. But lawyers said breach entities still need to provide notification as soon as possible.
January 22, 2019 at 09:30 AM
4 minute read
Boston Harbor and Financial District at sunset in Boston.
Massachusetts amended its data breach notification law to require the sharing of certain information with state regulators by an unspecified deadline when a breach occurs. However, don't let the unspecified time frame fool you, lawyers warned. Companies are now under a heightened pressure to notify regulators of breaches as soon as possible—with room to issue a revised notice later.
The measure set to go into effect by April 11 includes new language extending free credit monitoring and other rights to residents whose information was breached. Breached entities are also required to share more information in breach notification letters to the Massachusetts attorney general and director of consumer affairs and business regulation.
Such additional information includes the nature of the breach, number of Massachusetts residents affected, person responsible for the breach and information compromised. Companies also have to disclose whether they have a written information security program and the steps taken after the data breach, including updates to their written information security program (WISP).
What Massachusetts' data breach notification law doesn't specify is a time frame for notifying regulators. Instead, it says a notice “shall not be delayed on grounds that the total number of residents affected is not yet ascertained.”
Other states have enacted data breach notification laws and some include a 72-hour or 30-day deadline for companies to notify regulators. Such a bright-line provision can be contested, as the specific time a breach occurred may not be known immediately, noted Ogletree, Deakins, Nash, Smoak & Stewart shareholder Danielle Vanderzanden.
“'There is always room for dispute over the precise point in time that the fact of a breach was discovered,” explained Vanderzanden. “In the vast majority of instances, there is need for follow-up to determine if there's a breach.”
Lawyers said the unspecified deadline for notification doesn't allow companies to be complacent. Instead, the amendment's language allowing companies to update their notification signifies Massachusetts wants immediate initial notification, and updates to notifications are acceptable and perhaps expected.
“I think there's a little more flexibility in the Massachusetts statute that affords entities the ability to do more thorough investigations before making their breach notification, but I point out again that you can't initially delay and claim you don't know the full extent,” said William Rogers of Boston-based Prince Lobel Tye. “[It] is not a legitimate excuse.”
“[At] that point it turns from an incident to a breach, where protected information was disclosed to a third party, I would say in every incidence it is in a company's interest to provide required notification as promptly as possible,” Vanderzanden added. “There's no magic bell in the Massachusetts statute, but as soon as a company [knows] that an individual's data is at risk, it's important to provide notice.”
Whereas the new amendments may not provide definite deadlines for breach notification, it does implicitly require companies to have a written information security program in place prior to a breach.
Although the general requirement to have a written information security program, also known as WISP, went into effect in 2010, lawyers contacted by Legaltech News said some companies still aren't in compliance.
“First thing I would tell, and I have told my clients is as the law specified in 2010, you have to maintain a written WISP,” said Rogers. “A WISP requires entities to maintain privacy and security in accordance with specified administrative and physical and technical safeguards. Unfortunately, what we see nine years later, not all organizations that should have a WISP have a WISP.”
Penalties for companies that have experienced a breach or consequences for non-notification aren't listed in the amendments. However, lawyers said, companies may feel regulators' wrath if they have a breach with no WISP enacted beforehand.
“If you have a breach and you don't have a WISP, I think you can anticipate a strong reaction and enforcement action for not having a WISP,” Rogers said.
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Plaintiff Argues Jury's $22M Punitive Damages Finding Undermines J&J's Talc Trial Win
- 2Bannon's Fraud Trial Delayed One Week as New, 'More Aggressive,' Defense Attorneys Get Ready
- 3'AI-Generated' Case References? This African Law Firm Is Under Investigation
- 4John Deere Annual Meeting Offers Peek Into DEI Strife That Looms for Companies Nationwide
- 5Why Associates in This Growing Legal Market Are Leaving Their Firms
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
