State’s are passing legislation to address the concerns of the public over protection of data and notifications and remedies when personal data is breached.  So far in 2019,  Vermont began regulating data brokers and South Carolina’s adoption of the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law became effective adding significant breach notification and information security requirements for entities licensed by state insurance regulators, including insurers and agents. The North Carolina Attorney General announced a proposal to make significant changes to that state’s notification law, among them requiring notification for ransomware attacks.

The darker the state, the stricter the breach legislation:

The trend continues in Massachusetts, where last week Gov. Charlie Baker signed legislation substantially updating the state’s breach notification law to add 18 months of of credit monitoring to any breach involving social security numbers (42 months for consumer reporting agencies that are breached).

Other key changes to the MA legislation include:

  • Breaches must be reported to the Attorney General and Office of Consumer Affairs, and they will want to see your Written Information Security Program (WISP).
  • Parent companies may have to answer if a subsidiary is breached.  Parents and affiliated companies may also want to revisit their cyber insurance policies to assess coverage for losses that may arise out of a subsidiary’s breach. For the breached subsidiary, this provision may result in them involving their parent companies sooner and more extensively in the breach response process.
  • Breached organizations must notify “as soon as practical” and continue to provide updates.
  • Breaches will be listed on the Office of Consumer Affairs and Business Regulation website.