Data Breach Bill Moving in Massachusetts Legislature | ANA Government Relations | ANA

Data Breach Bill Moving in Massachusetts Legislature

A significant data breach bill is moving quickly through the Massachusetts Senate which could have very serious negative consequences for advertisers and marketers.

The Massachusetts Governor vetoed a data breach bill presented to him earlier this year. The bill, opposed by industry, would have rewritten Massachusetts data breach law to eliminate the “harm trigger” in current law and require breached entities to provide “rolling” multiple notifications to affected consumers.

Following the Governor’s veto, the bill was reintroduced as HB 4873. This type of bill reintroduction is usually a purely parliamentary procedure in Massachusetts, and typically the bill dies. However, last week the Massachusetts House of Representatives, in a very unusual move, took up and passed the reintroduced HB 4873 that has no “harm trigger” and would require “rolling” notifications.

Without a “harm trigger” in the law, any data breach would require notification to potentially affected consumers – even if the breach poses no substantial risk of identity theft or fraud. This change in the law would soon lead to “over warning” consumers and potentially cause them to ignore data breach notifications, including even those breaches that actually do pose a serious risk.

“Rolling” breach notifications would require entities suffering a breach to notify consumers shortly after their discovery and require continued notifications into the future. Again, this causes the problem of “over warning” consumers with multiple notices for the same breach and imposes unnecessary risks to companies seeking to investigate and remediate the causes of the breach internally and with law enforcement. Moreover, “rolling” breach notifications increase the risk of litigation that, combined with the lack of a “harm trigger” would severely impact companies through increased litigation costs.

ANA has sent a letter opposing the bill.  

If you have any questions about this bill or other state privacy bills, please contact Dan Jaffe (djaffe@ana.net) or Chris Oswald (coswald@ana.net) in ANA’s Washington, D.C. office at 202.296.1883.