Skip to Content
The 191st General Court of the Commonwealth of Massachusetts

AN ACT RELATIVE TO CONSUMER PROTECTION FROM SECURITY BREACHES.

Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority of the same, as follows:

SECTION 1.  Section 50 of chapter 93 of the General Laws, as appearing in the 2016 Official Edition, is hereby amended by striking out the definition of “Consumer” and inserting in place thereof the following 2 definitions:-

“Breach of security”, shall have the same meaning as in section 1 of chapter 93H.

“Consumer”, an individual.

SECTION 2.  Said section 50 of said chapter 93, as so appearing, is hereby further amended by inserting after the definition of “Person” the following definition:-

“Personal information”, shall have the same meaning as in section 1 of chapter 93H.

SECTION 3.  Said chapter 93 is hereby further amended by inserting after section 51A the following section:-

Section 51B.  This section shall not apply to users who acquire from consumer reporting agencies a consumer report pursuant to section 51 and 15 U.S.C. section 1681b.

A user shall not obtain, use or seek the consumer report of a consumer unless the user: (i) obtains the prior written, verbal or electronic consent of the consumer, as is appropriate for the manner in which the transaction or extension of credit was negotiated or entered into; and (ii) discloses, prior to obtaining the consumer’s consent, the user’s reason for accessing the consumer report to the consumer.

Nothing shall prohibit a user who has already secured the consent of the consumer, or an investor or potential investor of an existing credit obligation, from obtaining a consumer report in connection with: (i) the same transaction; (ii) reviewing an existing account; (iii) increasing the credit line on an existing account; (iv) taking collection action on an existing account; (v) providing products and services or offering of products and services to an existing consumer’s account.

A user shall not require or request that a consumer waive this section and any such waiver shall be void. Failure to comply with this section shall constitute an unfair practice under clause (a) of section 2 of chapter 93A.

Notwithstanding the restrictions of this section, the department of children and families shall be permitted to obtain a consumer report for any child in the department’s custody who is 14 years of age or older without obtaining the consent of the child or disclosing to the child the department’s reason for accessing the consumer report in order to fulfill the department’s obligations pursuant to 42 U.S.C. 675(5)(I), Public Law 113-183 and section 52A, or any other similar requirement of federal or state law.

The department of consumer affairs and business regulation may promulgate regulations interpreting and applying this section.

SECTION 4.  Said chapter 93 is hereby further amended by striking out section 56, as appearing in the 2016 Official Edition, and inserting in place thereof the following section:-

Section 56.  (a) Every consumer reporting agency shall, upon request and proper identification of any consumer, clearly and accurately disclose to the consumer:

(1)  the nature, contents and substance of all information, except medical information, in its file on the consumer at the time of the request, and which is obtainable based upon the identifying information supplied by the consumer when making such request, and if such consumer has made a written request, deliver a written copy, photocopy or electronic copy, of all such information except any code identifications which are used solely for purposes of transferring such information to and from consumer reporting agencies; provided, however, that the names of the users corresponding to the code identifications shall be disclosed to the consumer; and provided further, that the agency shall provide a clear, simple and plain meaning explanation of the information provided under this paragraph and such explanation shall be in a readable format and type, which shall not be smaller than 10 point type;

(2)  the sources of all credit information obtained through routine credit reporting or through any other credit reporting techniques in the file at the time of the request, except that the sources of information acquired solely for use in preparing an investigative consumer report and actually used for no other purpose need not be disclosed; provided, however, that, in the event an action is brought pursuant to section 65, such sources shall be available to the plaintiff under appropriate discovery procedures in the court in which the action is brought; and

(3)  the recipients of any consumer report on the consumer which it has furnished for employment purposes within the 2-year period preceding the request, and for any other purpose within the 6-month period preceding the request.

(b)  In accordance with 15 U.S.C. section 1681c-1, every consumer reporting agency, upon contact by a consumer by phone, mail or electronic communication, or in person regarding information which may be contained in the agency files regarding that consumer, shall with each written disclosure, or in response to a request by the consumer to be advised as to the consumer’s rights, promptly advise the consumer of the consumer’s rights under this section. The written notice shall be in a clear and conspicuous format and be no smaller than 10 point type. The notice shall inform the consumer of the consumer’s rights under this chapter, provided in a clear and conspicuous manner, in substantially the following manner:

“You have a right to obtain a copy of your credit file from a consumer credit reporting agency. You may be charged a reasonable fee not exceeding $8. There is no fee, however, if you have been turned down for credit, employment, insurance or rental dwelling because of information in your credit report within the preceding 60 days. The consumer credit reporting agency must provide someone to help you interpret the information in your credit file. Each calendar year you are entitled to receive, upon request, one free consumer credit report.

You have a right to dispute inaccurate information by contacting the consumer reporting agency directly, either in writing, by mail or electronic communication through the credit reporting agency website, or by telephone. The consumer reporting agency shall provide, upon request and without unreasonable delay, a live representative of the consumer reporting agency to assist in dispute resolution whenever possible and practicable, or to the extent consistent with federal law. However, neither you nor any credit repair company or credit service organization has the right to have accurate, current and verifiable information removed from your credit report. In most cases, under state and federal law, the consumer credit reporting agency must remove accurate, negative information from your report only if it is more than 7 years old, and must remove bankruptcy information only if it is more than 10 years old.

If you have notified a consumer credit reporting agency in writing that you dispute the accuracy of information in your file, the consumer credit reporting agency must then, within 30 business days, reinvestigate and modify or remove inaccurate information. The consumer credit reporting agency may not charge a fee for this service. Any pertinent information and copies of all documents you have concerning a dispute should be given to the consumer credit reporting agency.

If reinvestigation does not resolve the dispute to your satisfaction, you may send a statement to the consumer credit reporting agency to keep in your file, explaining why you think the record is inaccurate. The consumer credit reporting agency must include your statement about the disputed information in a report it issues about you.

You have a right to receive a record of all inquiries relating to a credit transaction initiated in the 6 months preceding your request, or 2 years in the case of a credit report used for employment purposes. This record shall include the recipients of any consumer credit report.

You have the right to opt out of any prescreening lists compiled by or with the assistance of a consumer credit reporting agency by calling the agency’s toll-free telephone number, or by contacting the agency through electronic communication or in writing. You may be entitled to collect compensation, in certain circumstances, if you are damaged by a person’s negligent or intentional failure to comply with the credit reporting act.

You have a right to request a “security freeze” on your consumer report. The security freeze will prohibit a consumer reporting agency from releasing any information in your consumer report without your express authorization. A security freeze shall be requested by sending a request either by toll-free telephone, secure electronic means or mail consistent with 15 U.S.C. section 1681c-1 to a consumer reporting agency. The security freeze is designed to prevent credit, loans or services from being approved in your name without your consent. You should be aware that using a security freeze may delay, interfere with, or prevent the timely approval of any subsequent request or application you make regarding new loans, credit, mortgage, insurance, government services or payments, rental housing, employment, investment, license, cellular phone, utilities, digital signature, internet credit card transactions or other services, including an extension of credit at point of sale.

When you place a security freeze on your consumer report, within 5 business days of receiving your request for a security freeze, the consumer reporting agency shall send confirmation of the security freeze consistent with 15 U.S.C. section 1681c-1.”.

SECTION 5.  Section 57 of said chapter 93, as so appearing, is hereby amended by inserting after the word “only”, in line 13, the following words:-; or 

(4)  by electronic communication if the consumer has made a written, verbal or electronic request, with proper identification.

SECTION 6.  Section 62A of said chapter 93, as so appearing, is hereby amended by striking out  the eleventh paragraph and inserting in place thereof the following paragraph:-

In accordance with 15 U.S.C section 1681c-1 and to the extent permitted by federal law, a consumer reporting agency shall not charge a fee to any consumer who elects to place, lift or remove a security freeze from a consumer report.

SECTION 7.  Said chapter 93 is hereby further amended by inserting after section 62A the following section:-

Section 62B.  A consumer reporting agency shall not knowingly offer a paid product to prevent unauthorized access or restrict access to a consumer’s credit unless at the time of transaction the consumer reporting agency: (i) notifies the consumer of the availability of obtaining a security freeze without charge and (ii) provides information to the consumer on how to obtain a security freeze.

A consumer reporting agency that compiles and maintains files on consumers on a nationwide basis and receives a request by a consumer for a security freeze shall identify, to the best of its knowledge, any other consumer reporting agency that compiles and maintains files on consumers on a nationwide basis and inform consumers of appropriate websites, toll-free telephone numbers and mailing addresses that would permit the consumer to place, lift or remove a security freeze from such other consumer reporting agency. The consumer reporting agencies subject to this section may establish a centralized source, including, but not limited to, a website, that directs a consumer to such websites, toll-free telephone numbers and mailing addresses.

SECTION 8.  The first paragraph of subsection (b) of section 3 of chapter 93H of the General Laws, as appearing in the 2016 Official Edition, is hereby amended by striking out the last sentence of and inserting in place thereof the following sentence:-

The notice to be provided to the attorney general and said director, and consumer reporting agencies or state agencies if any, shall include, but not be limited to: (i) the nature of the breach of security or unauthorized acquisition or use; (ii) the number of residents of the commonwealth affected by such incident at the time of notification; (iii) the name and address of the person or agency that experienced the breach of security; (iv) name and title of the person or agency reporting the breach of security, and their relationship to the person or agency that experienced the breach of security ; (v) the type of person or agency reporting the breach of security; (vi) the person responsible for the breach of security, if known; (vii) the type of personal information compromised, including, but not limited to, social security number, driver’s license number, financial account number, credit or debit card number or other data; (viii) whether the person or agency maintains a written information security program; and (ix) any steps the person or agency has taken or plans to take relating to the incident, including updating the written information security program. A person who experienced a breach of security shall file a report with the attorney general and the director of consumer affairs and business regulation certifying their credit monitoring services comply with section 3A.

SECTION 9.  Said subsection (b) of said section 3 of said chapter 93H, as so appearing, is hereby further amended by striking out the last paragraph and inserting in place thereof the following paragraph:-

The notice to be provided to the resident shall include, but shall not be limited to: (i) the resident’s right to obtain a police report; (ii) how a resident may request a security freeze and the necessary information to be provided when requesting the security freeze; (iii) that there shall be no charge for a security freeze; and (iv) mitigation services to be provided pursuant to this chapter; provided, however, that said notice shall not include the nature of the breach of security or unauthorized acquisition or use, or the number of residents of the commonwealth affected by said breach of security or unauthorized access or use. The person or agency that experienced the breach of security shall provide a sample copy of the notice it sent to consumers to the attorney general and the office of consumer affairs and business regulation. A notice provided pursuant to this section shall not be delayed on grounds that the total number of residents affected is not yet ascertained. In such case, and where otherwise necessary to update or correct the information required, a person or agency shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information.

SECTION 10.  Said section 3 of said chapter 93H, as so appearing, is hereby further amended by striking out subsection (c) and inserting in place thereof the following 3 subsections:-

(c)  As practicable and as not to impede active investigation by the attorney general or other law enforcement agency, the office of consumer affairs and business regulation shall: (i) make available electronic copies of the sample notice sent to consumers on its website and post such notice within 1 business day upon receipt from the person that experienced a breach of security; (ii) update the breach of security notification report on its website as soon as practically possible after the information has been verified by said office but not more than 10 business days after receipt unless the information provided is not verifiable; provided, however, that the office shall post said notice as soon as verified; (iii) amend, on a recurring basis, the breach of security notification report to include new information discovered through the investigation process or new subsequent findings from a previously reported breach of security; and (iv) instruct consumers on how they may file a public records request to obtain a copy of the notice provided to the attorney general and said director from the person who experienced a breach of security.

(d)  If the person or agency that experienced a breach of security is owned by another person or corporation, the notice to the consumer shall include the name of the parent or affiliated corporation.

(e)  If an agency is within the executive department, it shall provide written notification of the nature and circumstances of the breach of security or unauthorized acquisition or use to the executive office of technology services and security and the division of public records in the office of the state secretary as soon as practicable and without unreasonable delay following the discovery of a breach of security or unauthorized acquisition or use, and shall comply with all policies and procedures adopted by the executive office of technology services and security pertaining to the reporting and investigation of such an incident.

(f)  The department of consumer affairs and business regulation may promulgate regulations interpreting and applying this section.

SECTION 11.  Said chapter 93H is hereby further amended by inserting after section 3 the following section:-

Section 3A.  (a) If a person knows or has reason to know that said person experienced an incident that requires notice pursuant to section 3 and such breach of security includes a social security number, the person shall contract with a third party to offer to each resident whose social security number was disclosed in the breach of security or is reasonably believed to have been disclosed in the breach of security, credit monitoring services at no cost to said resident for a period of not less than 18 months; provided, however, that if the person that has experienced a breach of security is a consumer reporting agency, then said consumer reporting agency shall contract with a third party to offer each resident whose social security number was disclosed in the breach of security or is reasonably believed to have been disclosed in the breach of security, credit monitoring services at no cost to such resident for a period of not less than 42 months.  Said contracts shall not include reciprocal agreements for services in lieu of payment or fees. The person or agency shall provide all information necessary for the resident to enroll in credit monitoring services and shall include information on how the resident may place a security freeze on the resident’s consumer credit report.

(b)  A person that experienced a breach of security shall not require a resident to waive the resident’s right to a private right of action as a condition of the offer of credit monitoring services.

(c)  The department of consumer affairs and business regulation may promulgate regulations interpreting and applying this section.

Approved, January 10, 2019.