SECTION 1: Section 1 of chapter 93H as appearing in the 2012 official Edition, is hereby amended by striking out said section and inserting in place thereof the following section:–
1. (a) As used in this chapter, the following words shall, unless the context clearly requires otherwise, have the following meanings:
“Access device”, a card issued by a financial institution that contains a magnetic stripe, microprocessor chip, or other means for storage of information which includes, but is not limited to, a credit card, debit card, or stored value card.
“Agency”, any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or any of its branches, or of any political subdivision thereof.
“Breach of security”, the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates an identifiable risk of identity theft or fraud. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.
“Card security code”, the three-digit or four-digit value printed on an access device or contained in the microprocessor chip or magnetic stripe of an access device which is used to validate access device information during the authorization process.
“Data”, any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.
“Electronic”, relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities.
“Encrypted”, transformation of data through the use of a 128-bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, unless further defined by regulation of the department of consumer affairs and business regulation.
“Financial institution”, any office of a trust company, commercial bank, industrial loan company, savings bank, savings and loan association, cooperative bank or credit union chartered by the commonwealth or by another state of the United States, the District of Columbia, the commonwealth of Puerto Rico, a territory of possession of the United States, or a country other than the United States, or a national banking association, federal savings and loan association, federal savings bank or federal credit union.
“Magnetic stripe data", the data contained in the magnetic stripe of an access device.
“Microprocessor chip data", the data contained in the microprocessor chip of an access device.
“Notice”, shall include:
(i) written notice;
(ii) electronic notice, if notice provided is consistent with the provisions regarding electronic records and signatures set forth in § 7001 (c) of Title 15 of the United States Code; and chapter 110G; or
(iii) substitute notice, if the person or agency required to provide notice demonstrates that the cost of providing written notice will exceed $250,000, or that the affected class of Massachusetts residents to be notified exceeds 500,000 residents, or that the person or agency does not have sufficient contact information to provide notice.
“Person”, a natural person, corporation, association, partnership or other legal entity.
“Personal information”, a resident’s first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to such resident:
(a) Social Security number;
(b) driver’s license number or state-issued identification card number; or
(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
“PIN”, a personal identification code that identifies the cardholder.
“PIN verification code number”, the data used to verify cardholder identity when a PIN is used in a transaction.
“Service provider”, a person or entity that stores, processes, or transmits access device data on behalf of another person or entity.
“Substitute notice”, shall consist of all of the following:
(i) electronic mail notice, if the person or agency has electronic mail addresses for the members of the affected class of Massachusetts residents;
(ii) clear and conspicuous posting of the notice on the home page of the person or agency if the person or agency maintains a website; and
(iii) publication in or broadcast through media or medium that provides notice throughout the commonwealth.
(b) The department of consumer affairs and business regulation may adopt regulations, from time to time, to revise the definition of “encrypted”, as used in this chapter, to reflect applicable technological advancements.
SECTION 2: Section 3 of said chapter 93H is hereby further amended by striking out the third paragraph and inserting in place thereof the following paragraph:–
The notice to be provided to the resident shall include, but not be limited to, the consumer’s right to obtain a police report, how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze, and any fees required to be paid to any of the consumer reporting agencies.
SECTION 3: Said chapter 93H is hereby further amended by striking out sections 5 and 6 and inserting in place thereof the following 6 sections:–
Section 5. No person or entity conducting business in Massachusetts that accepts an access device in connection with a transaction shall retain, or otherwise permit its retention of, the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data or microprocessor chip data, subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction. A person or entity is in violation of this section if such data remains in its possession, or the possession of its service provider, intentionally or unintentionally, subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction.
Section 6. Whenever there is a breach of the security of the system of a person or entity that has violated Section 5 herein, or a breach of the security of the system of that person's or entity's service provider, that person or entity shall be liable, without a showing of fault, to the financial institution that issued any access devices affected by the data breach for all resulting damages, including, but not limited to, the costs of reasonable actions undertaken by the financial institution as a result of the breach in order to protect the information of its cardholders or to continue to provide services to cardholders, including but not limited to, any cost incurred in connection with:
(1) the cancellation or reissuance of any access device affected by the breach;
(2) the closure of any deposit, transaction, share draft, or other accounts affected by the breach and any action to stop payments or block transactions with respect to the accounts;
(3) the opening or reopening of any deposit, transaction, share draft, or other accounts affected by the breach;
(4) any refund or credit made to a cardholder to cover the cost of any unauthorized transaction relating to the breach; and
(5) the notification of cardholders affected by the breach.
Section 7. Any person or entity conducting business in Massachusetts that accepts an access device in connection with a transaction shall take reasonable action to secure, at all times, the card security code data, the PIN verification code number, and the full contents of any track of magnetic stripe data or microprocessor chip data. Whenever there is a breach of the security of the system of a person or entity that has failed to take such reasonable action required by this section, that person or entity shall be liable to any financial institution that issued any access devices affected by the data breach for all resulting damages including, but not limited to, all damages set forth in Section 6 herein.
Section 8. Any financial institution suffering damages set forth in Sections 6 and 7 may recover such damages in an action at law instituted in any court of competent jurisdiction. Such damages shall not include, and are to be offset by, any amounts recovered from a credit card company by a financial institution, as a result of the relevant data breach. The remedies hereunder are cumulative and do not restrict any other right or remedy otherwise available to the financial institution.
Section 9. This chapter does not relieve a person or agency from the duty to comply with requirements of any applicable general or special law or federal law regarding the protection and privacy of personal information; provided however, a person who maintains procedures for responding to a breach of security pursuant to federal laws, rules, regulations, guidance, or guidelines, is deemed to be in compliance with this chapter if the person notifies affected Massachusetts residents in accordance with the maintained or required procedures when a breach occurs; provided further that the person also notifies the attorney general and the director of the office of consumer affairs and business regulation of the breach as soon as practicable and without unreasonable delay following the breach. The notice to be provided to the attorney general and the director of the office of consumer affairs and business regulation shall consist of, but not be limited to, any steps the person or agency has taken or plans to take relating to the breach pursuant to the applicable federal law, rule, regulation, guidance or guidelines; provided further that if said person or agency does not comply with applicable federal laws, rules, regulations, guidance or guidelines, then it shall be subject to the provisions of this chapter.
Section 10. The attorney general may bring an action pursuant to section 4 of chapter 93A against a person or otherwise to remedy violations of this chapter and for other relief that may be appropriate.
The information contained in this website is for general information purposes only. The General Court provides this information as a public service and while we endeavor to keep the data accurate and current to the best of our ability, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.