MASSACHUSETTS HOUSE BILL 4806

The Massachusetts legislature recently enacted legislation to protect consumer information, effective April 10, 2019.

“Breach of security” means the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.

“Personal information” means a resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:

• Social Security number;
• Driver’s license number or state-issued identification card number; or
• Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” does not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

“User” means a person seeking or obtaining a consumer report for an authorized purpose.

A user may not obtain, use or seek the consumer report of a consumer unless the user:

• Obtains the prior written, verbal or electronic consent of the consumer, as is appropriate for the manner in which the transaction or extension of credit was negotiated or entered into; and
• Discloses, prior to obtaining the consumer’s consent, the user’s reason for accessing the consumer report to the consumer.

A user who has already secured the consent of the consumer, or an investor or potential investor of an existing credit obligation, may obtain a consumer report in connection with:

• The same transaction;
• Reviewing an existing account;
• Increasing the credit line on an existing account;
• Taking collection action on an existing account;
• Providing products and services or offering of products and services to an existing customer’s account; or
• Any other permissible purpose.

A user may not require or request that a consumer waive these provisions and any such waiver will be void.  Failure to comply with these provisions will constitute an unfair practice.

A consumer reporting agency may not charge a fee to any consumer who elects to place, lift or remove a security freeze from a consumer report.

Any business that experiences a security breach must notify the consumers affected as well as the attorney general and state regulators.  If such breach of security includes a social security number, the business must provide 18 months of free credit monitoring to the consumers affected.