SENATE DOCKET, NO. 606        FILED ON: 1/15/2019

SENATE  .  .  .  .  .  .  .  .  .  .  .  .  .  .  No. 180

 

The Commonwealth of Massachusetts

_________________

PRESENTED BY:

Michael J. Rodrigues

_________________

To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General
Court assembled:

The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill:

An Act relative to the security of personal financial information.

_______________

PETITION OF:

 

Name:

District/Address:

 

Michael J. Rodrigues

First Bristol and Plymouth

 

Paul A. Schmid, III

8th Bristol

1/23/2019

Michael J. Soter

8th Worcester

1/24/2019

Alan Silvia

7th Bristol

1/29/2019

Donald F. Humason, Jr.

Second Hampden and Hampshire

2/1/2019

Carole A. Fiola

6th Bristol

2/1/2019


SENATE DOCKET, NO. 606        FILED ON: 1/15/2019

SENATE  .  .  .  .  .  .  .  .  .  .  .  .  .  .  No. 180

By Mr. Rodrigues, a petition (accompanied by bill, Senate, No. 180) of Michael J. Rodrigues, Paul A. Schmid, III, Michael J. Soter, Alan Silvia and other members of the General Court for legislation relative to the security of personal financial information.  Consumer Protection and Professional Licensure.

 

[SIMILAR MATTER FILED IN PREVIOUS SESSION
SEE SENATE, NO. 149 OF 2017-2018.]

 

The Commonwealth of Massachusetts

 

_______________

In the One Hundred and Ninety-First General Court
(2019-2020)

_______________

 

An Act relative to the security of personal financial information.

 

Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority of the same, as follows:
 

SECTION 1.  Section 1 of chapter 93H as so appearing, is hereby amended by striking out said section and inserting in place thereof  the following section:-

1. (a) As used in this chapter, the following words shall, unless the context clearly requires otherwise, have the following meanings:—

"Access device", a card issued by a financial institution that contains a magnetic stripe, microprocessor chip, or other means for storage of information which includes, but is not limited to, a credit card, debit card, or stored value card.

“Agency”, any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or any of its branches, or of any political subdivision thereof.

“Breach of security”, the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.

"Card security code", the three-digit or four-digit value printed on an access device or contained in the microprocessor chip or magnetic stripe of an access device which is used to validate access device information during the authorization process.

“Data”,  any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.

“Electronic”, relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities.

“Encrypted”,  transformation of data through the use of a 128-bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, unless further defined by regulation of the department of consumer affairs and business regulation.

"Financial institution",  any office of a trust company, commercial bank, industrial loan company, savings bank, savings and loan association, cooperative bank or credit union chartered by the commonwealth or by another state of the United States, the District of Columbia, the commonwealthof Puerto Rico, an territory of possession of the United States, or a country other than the United States, or a national banking association, federal savings and loan association, federal savings bank or federal credit union which has its main office located in the commonwealth or in any other jurisdiction named hearing or a regulated lender.

“Magnetic stripe data", the data contained in the magnetic stripe of an access device.

“Microprocessor chip data", the data contained in the microprocessor chip of an access device.

“Notice”, shall include:—

(i) written notice;

(ii) electronic notice, if notice provided is consistent with the provisions regarding electronic records and signatures set forth in § 7001 (c) of Title 15 of the United States Code; and chapter 110G; or

(iii) substitute notice, if the person or agency required to provide notice demonstrates that the cost of providing written notice will exceed $250,000, or that the affected class of Massachusetts residents to be notified exceeds 500,000 residents, or that the person or agency does not have sufficient contact information to provide notice.

“Person”, a natural person, corporation, association, partnership or other legal entity.

“Personal information”,  a resident’s first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to such resident:

(a) Social Security number;

(b) driver’s license number or state-issued identification card number; or

(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

"PIN", a  personal identification code that identifies the cardholder.

"PIN verification code number", the data used to verify cardholder identity when a PIN is used in a transaction.

"Service provider", a person or entity that stores, processes, or transmits access device data on behalf of another person or entity.

“Substitute notice”, shall consist of all of the following:—

(i) electronic mail notice, if the person or agency has electronic mail addresses for the members of the affected class of Massachusetts residents;

(ii) clear and conspicuous posting of the notice on the home page of the person or agency if the person or agency maintains a website; and

(iii) publication in or broadcast through media or medium that provides notice throughout the commonwealth.

(b) The department of consumer affairs and business regulation may adopt regulations, from time to time, to revise the definition of “encrypted”, as used in this chapter, to reflect applicable technological advancements.

SECTION 2. Section 3 of said chapter 93H is hereby further amended by striking out the third paragraph and inserting in place thereof the following paragraph:-

The notice to be provided to the resident shall include, but not be limited to, the consumer’s right to obtain a police report, how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze, and any fees required to be paid to any of the consumer reporting agencies.

SECTION 3. Sections 5 and 6 of chapter 93H are hereby repealed and replaced with the following sections:-

Section 5:-No person or entity conducting business in Massachusetts that accepts an access device in connection with a transaction shall retain the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data, subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction. A person or entity is in violation of this section if its service provider retains such data subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction.

Section 6:- Whenever there is a breach of the security of the system of a person or entity that has violated this section, or that person's or entity's service provider, that person or entity shall reimburse the financial institution that issued any access devices affected by the breach for the costs of reasonable actions undertaken by the financial institution as a result of the breach in order to protect the information of its cardholders or to continue to provide services to cardholders, including but not limited to, any cost incurred in connection with:

(1) the cancellation or reissuance of any access device affected by the breach;

(2) the closure of any deposit, transaction, share draft, or other accounts affected by the breach and any action to stop payments or block transactions with respect to the accounts;

(3) the opening or reopening of any deposit, transaction, share draft, or other accounts affected by the breach;

(4) any refund or credit made to a cardholder to cover the cost of any unauthorized transaction relating to the breach; and

(5) the notification of cardholders affected by the breach.

The financial institution is also entitled to recover costs for damages paid by the financial institution to cardholders injured by a breach of the security of the system of a person or entity that has violated this section. Costs do not include any amounts recovered from a credit card company by a financial institution. The remedies under this subdivision are cumulative and do not restrict any other right or remedy otherwise available to the financial institution.

Section 7:- This chapter does not relieve a person or agency from the duty to comply with requirements of any applicable general or special law or federal law regarding the protection and privacy of personal information; provided however, a person who maintains procedures for responding to a breach of security pursuant to federal laws, rules, regulations, guidance, or guidelines, is deemed to be in compliance with this chapter if the person notifies affected Massachusetts residents in accordance with the maintained or required procedures when a breach occurs; provided further that the person also notifies the attorney general and the director of the office of consumer affairs and business regulation of the breach as soon as practicable and without unreasonable delay following the breach. The notice to be provided to the attorney general and the director of the office of consumer affairs and business regulation shall consist of, but not be limited to, any steps the person or agency has taken or plans to take relating to the breach pursuant to the applicable federal law, rule, regulation, guidance or guidelines; provided further that if said person or agency does not comply with applicable federal laws, rules, regulations, guidance or guidelines, then it shall be subject to the provisions of this chapter.

Section 8: The attorney general may bring an action pursuant to section 4 of chapter 93A against a person or otherwise to remedy violations of this chapter and for other relief that may be appropriate.