| 1 | 1 | | 1 of 1 |
|---|
| 2 | 2 | | HOUSE DOCKET, NO. 1851 FILED ON: 1/18/2023 |
|---|
| 3 | 3 | | HOUSE . . . . . . . . . . . . . . . No. 76 |
|---|
| 4 | 4 | | The Commonwealth of Massachusetts |
|---|
| 5 | 5 | | _________________ |
|---|
| 6 | 6 | | PRESENTED BY: |
|---|
| 7 | 7 | | Tram T. Nguyen |
|---|
| 8 | 8 | | _________________ |
|---|
| 9 | 9 | | To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General |
|---|
| 10 | 10 | | Court assembled: |
|---|
| 11 | 11 | | The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill: |
|---|
| 12 | 12 | | An Act relative to protecting sensitive information from security breaches. |
|---|
| 13 | 13 | | _______________ |
|---|
| 14 | 14 | | PETITION OF: |
|---|
| 15 | 15 | | NAME:DISTRICT/ADDRESS :DATE ADDED:Tram T. Nguyen18th Essex1/18/2023 1 of 7 |
|---|
| 16 | 16 | | HOUSE DOCKET, NO. 1851 FILED ON: 1/18/2023 |
|---|
| 17 | 17 | | HOUSE . . . . . . . . . . . . . . . No. 76 |
|---|
| 18 | 18 | | By Representative Nguyen of Andover, a petition (accompanied by bill, House, No. 76) of Tram |
|---|
| 19 | 19 | | T. Nguyen relative to protecting sensitive information from security breaches. Advanced |
|---|
| 20 | 20 | | Information Technology, the Internet and Cybersecurity. |
|---|
| 21 | 21 | | The Commonwealth of Massachusetts |
|---|
| 22 | 22 | | _______________ |
|---|
| 23 | 23 | | In the One Hundred and Ninety-Third General Court |
|---|
| 24 | 24 | | (2023-2024) |
|---|
| 25 | 25 | | _______________ |
|---|
| 26 | 26 | | An Act relative to protecting sensitive information from security breaches. |
|---|
| 27 | 27 | | Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority |
|---|
| 28 | 28 | | of the same, as follows: |
|---|
| 29 | 29 | | 1 SECTION 1. Section 1 of chapter 93H of the General Laws is hereby amended by |
|---|
| 30 | 30 | | 2inserting after the definition of “Agency” the following definition:- |
|---|
| 31 | 31 | | 3 “Biometric information”, a retina or iris scan, fingerprint, voiceprint, map or scan of hand |
|---|
| 32 | 32 | | 4or face geometry, vein pattern, gait pattern, or other data generated from the specific technical |
|---|
| 33 | 33 | | 5processing of an individual’s unique biological or physiological patterns or characteristics used |
|---|
| 34 | 34 | | 6to authenticate or identify a specific individual; provided, however, that “biometric information” |
|---|
| 35 | 35 | | 7shall not include: |
|---|
| 36 | 36 | | 8 (i) a digital or physical photograph; |
|---|
| 37 | 37 | | 9 (ii) an audio or video recording; or |
|---|
| 38 | 38 | | 10 (iii) data generated from a digital or physical photograph, or an audio or video recording, |
|---|
| 39 | 39 | | 11unless such data is generated to identify a specific individual. 2 of 7 |
|---|
| 40 | 40 | | 12 SECTION 2. Said section 1 of said chapter 93H is hereby further amended by striking out |
|---|
| 41 | 41 | | 13the definition of “Breach of security” and inserting in place thereof the following definition:- |
|---|
| 42 | 42 | | 14 “Breach of security”, the unauthorized acquisition or use of unencrypted electronic data, |
|---|
| 43 | 43 | | 15or encrypted electronic data when the encryption key or security credential has been acquired; |
|---|
| 44 | 44 | | 16provided, however, that such unauthorized acquisition or use compromises the security, |
|---|
| 45 | 45 | | 17confidentiality, or integrity of personal information maintained by a person or agency; and |
|---|
| 46 | 46 | | 18provided further, that a good faith but unauthorized acquisition of personal information by an |
|---|
| 47 | 47 | | 19employee or agent of a person or agency for the lawful purposes of such person or agency is not |
|---|
| 48 | 48 | | 20a breach of security unless the personal information is used in an unauthorized manner or subject |
|---|
| 49 | 49 | | 21to further unauthorized disclosure. |
|---|
| 50 | 50 | | 22 SECTION 3. Said section 1 of said chapter 93H is hereby further amended by inserting |
|---|
| 51 | 51 | | 23after the definition of “Encrypted” the following definitions:- |
|---|
| 52 | 52 | | 24 “Genetic information”, information, regardless of format, that: |
|---|
| 53 | 53 | | 25 (i) results from the analysis of a biological sample of an individual, or from another |
|---|
| 54 | 54 | | 26source enabling equivalent information to be obtained; and |
|---|
| 55 | 55 | | 27 (ii) concerns an individual’s genetic material, including, but not limited to, |
|---|
| 56 | 56 | | 28deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, |
|---|
| 57 | 57 | | 29alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), |
|---|
| 58 | 58 | | 30uninterpreted data that results from analysis of the biological sample or other source, and any |
|---|
| 59 | 59 | | 31information extrapolated, derived, or inferred therefrom. 3 of 7 |
|---|
| 60 | 60 | | 32 "Health insurance information”, an individual’s health insurance policy number, |
|---|
| 61 | 61 | | 33subscriber identification number, or any identifier used by a health insurer to identify the |
|---|
| 62 | 62 | | 34individual. |
|---|
| 63 | 63 | | 35 “Medical information”, information regarding an individual’s medical history, mental or |
|---|
| 64 | 64 | | 36physical condition, or medical treatment or diagnosis by a healthcare professional. |
|---|
| 65 | 65 | | 37 SECTION 4. Said section 1 of said chapter 93H is hereby further amended by striking out |
|---|
| 66 | 66 | | 38the definition of “Personal information” and inserting in place thereof the following definition:- |
|---|
| 67 | 67 | | 39 “Personal information” shall mean either of the following: |
|---|
| 68 | 68 | | 40 (i) a resident’s first name and last name or first initial and last name in combination with |
|---|
| 69 | 69 | | 41any 1 or more of the following data elements that relate to such resident: |
|---|
| 70 | 70 | | 42 (A) social security number; |
|---|
| 71 | 71 | | 43 (B) taxpayer identification number or identity protection personal identification number |
|---|
| 72 | 72 | | 44issued by the Internal Revenue Service; |
|---|
| 73 | 73 | | 45 (C) driver’s license number, passport number, military identification number, state-issued |
|---|
| 74 | 74 | | 46identification card number, or other unique identification number issued by the government that |
|---|
| 75 | 75 | | 47is commonly used to verify the identity of a specific individual; |
|---|
| 76 | 76 | | 48 (D) financial account number, or credit or debit card number, with or without any |
|---|
| 77 | 77 | | 49required security code, access code, personal identification number or password, that would |
|---|
| 78 | 78 | | 50permit access to a resident's financial account; |
|---|
| 79 | 79 | | 51 (E) biometric information; 4 of 7 |
|---|
| 80 | 80 | | 52 (F) date of birth; |
|---|
| 81 | 81 | | 53 (G) genetic information; |
|---|
| 82 | 82 | | 54 (H) health insurance information; |
|---|
| 83 | 83 | | 55 (I) medical information; or |
|---|
| 84 | 84 | | 56 (J) specific geolocation information; or |
|---|
| 85 | 85 | | 57 (ii) a username or electronic mail address, in combination with a password or security |
|---|
| 86 | 86 | | 58question and answer that would permit access to an online account. |
|---|
| 87 | 87 | | 59 SECTION 5. Said section 1 of said chapter 93H is hereby further amended by inserting |
|---|
| 88 | 88 | | 60after the definition of “Personal information” the following definition:- |
|---|
| 89 | 89 | | 61 “Specific geolocation information”, information derived from technology including, but |
|---|
| 90 | 90 | | 62not limited to, global positioning system level latitude and longitude coordinates or other |
|---|
| 91 | 91 | | 63mechanisms that directly identify the specific location of an individual within a geographic area |
|---|
| 92 | 92 | | 64that is equal to or less than the area of a circle with a radius of 1,850 feet; provided, however, |
|---|
| 93 | 93 | | 65that “geolocation information” shall exclude the content of communications or any information |
|---|
| 94 | 94 | | 66generated by or connected to advanced utility metering infrastructure systems or equipment for |
|---|
| 95 | 95 | | 67use by a utility. |
|---|
| 96 | 96 | | 68 SECTION 6. Section 2 of said chapter 93H is hereby amended by inserting the following |
|---|
| 97 | 97 | | 69subsection:- 5 of 7 |
|---|
| 98 | 98 | | 70 (d) The rules and regulations adopted pursuant to this section shall be updated from time |
|---|
| 99 | 99 | | 71to time to reflect any changes to the definitions of “breach of security” or “personal information” |
|---|
| 100 | 100 | | 72in section 1. |
|---|
| 101 | 101 | | 73 SECTION 7. Section 3 of said chapter 93H is hereby amended by inserting after the |
|---|
| 102 | 102 | | 74words “unauthorized purpose” in subsection (b) the following words:- and such use or |
|---|
| 103 | 103 | | 75acquisition presents a reasonably foreseeable risk of financial, physical, reputational or other |
|---|
| 104 | 104 | | 76cognizable harm to the resident. |
|---|
| 105 | 105 | | 77 SECTION 8. Said section 3 of said chapter 93H is hereby further amended by striking out |
|---|
| 106 | 106 | | 78clause (vii) of subsection (b) and inserting in place thereof the following clause:- (vii) the type of |
|---|
| 107 | 107 | | 79personal information compromised, including, but not limited to, any of the categories of |
|---|
| 108 | 108 | | 80personal information set forth in subclauses (A) through (J) of clause (i) or in clause (ii) of the |
|---|
| 109 | 109 | | 81definition of “personal information” in section 1. |
|---|
| 110 | 110 | | 82 SECTION 9. Said section 3 of said chapter 93H is hereby further amended by striking out |
|---|
| 111 | 111 | | 83the last sentence of the first paragraph of subsection (b) and inserting in place thereof the |
|---|
| 112 | 112 | | 84following sentence:- A person who experienced a breach of security shall file a report with the |
|---|
| 113 | 113 | | 85attorney general and the director of consumer affairs and business regulation certifying their |
|---|
| 114 | 114 | | 86credit monitoring services comply with section 3A; provided, however, that such a report shall |
|---|
| 115 | 115 | | 87not be required if the personal information compromised by the breach of security is medical |
|---|
| 116 | 116 | | 88information or specific geolocation information. |
|---|
| 117 | 117 | | 89 SECTION 10. Said section 3 of said chapter 93H is hereby further amended by striking |
|---|
| 118 | 118 | | 90out the third paragraph of subsection (b) and inserting in place thereof the following paragraphs:- 6 of 7 |
|---|
| 119 | 119 | | 91 The notice to be provided to the resident shall include, but shall not be limited to: (i) the |
|---|
| 120 | 120 | | 92date, estimated date, or estimated date range of the breach of security; (ii) the type of personal |
|---|
| 121 | 121 | | 93information compromised, including, but not limited to, any of the categories of personal |
|---|
| 122 | 122 | | 94information set forth in subclauses (A) through (J) of clause (i) or in clause (ii) of the definition |
|---|
| 123 | 123 | | 95of “personal information” in section 1; (iii) a general description of the breach of security; (iv) |
|---|
| 124 | 124 | | 96information that the resident can use to contact the person or agency reporting the breach of |
|---|
| 125 | 125 | | 97security; (v) the resident’s right to obtain a police report; (vi) how a resident may request a |
|---|
| 126 | 126 | | 98security freeze and the necessary information to be provided when requesting the security freeze; |
|---|
| 127 | 127 | | 99(vii) a statement that there shall be no charge for a security freeze; (viii) mitigation services to be |
|---|
| 128 | 128 | | 100provided pursuant to this chapter; and (ix) the toll-free numbers, address, and website for the |
|---|
| 129 | 129 | | 101federal trade commission. The notice shall not need to include information pursuant to clauses |
|---|
| 130 | 130 | | 102(vi) and (vii) if the personal information compromised by the breach of security is medical |
|---|
| 131 | 131 | | 103information or specific geolocation information. |
|---|
| 132 | 132 | | 104 The person or agency that experienced the breach of security shall provide a sample copy |
|---|
| 133 | 133 | | 105of the notice it sent to consumers to the attorney general and the office of consumer affairs and |
|---|
| 134 | 134 | | 106business regulation. A notice provided pursuant to this section shall not be delayed on grounds |
|---|
| 135 | 135 | | 107that the total number of residents affected is not yet ascertained. In such case, and where |
|---|
| 136 | 136 | | 108otherwise necessary to update or correct the information required, a person or agency shall |
|---|
| 137 | 137 | | 109provide additional notice as soon as practicable and without unreasonable delay upon learning |
|---|
| 138 | 138 | | 110such additional information. |
|---|
| 139 | 139 | | 111 If the breach of security involves log-in credentials, pursuant to clause (ii) of the |
|---|
| 140 | 140 | | 112definition of “personal information” in section 1, for an online account and no other personal |
|---|
| 141 | 141 | | 113information, the person or agency may comply with this chapter by providing notice in electronic 7 of 7 |
|---|
| 142 | 142 | | 114or other form; provided, however, that such notice shall direct the resident whose personal |
|---|
| 143 | 143 | | 115information has been breached to: (i) promptly change the resident’s password and security |
|---|
| 144 | 144 | | 116question or answer, as applicable; or (ii) take other steps appropriate to protect the affected |
|---|
| 145 | 145 | | 117online account with the person or agency and all other online accounts for which the resident |
|---|
| 146 | 146 | | 118whose personal information has been breached uses the same username or electronic mail |
|---|
| 147 | 147 | | 119address and password or security question or answer. |
|---|
| 148 | 148 | | 120 If the breach of security involves the log-in credentials, pursuant to clause (ii) of the |
|---|
| 149 | 149 | | 121definition of “personal information” in section 1, of an electronic mail account furnished by a |
|---|
| 150 | 150 | | 122person or agency, the person or agency shall not comply with this chapter by providing notice of |
|---|
| 151 | 151 | | 123the breach of security to such electronic mail address but shall instead provide notice by another |
|---|
| 152 | 152 | | 124acceptable method of notice pursuant to this chapter or by clear and conspicuous notice delivered |
|---|
| 153 | 153 | | 125to the resident online when the resident is connected to the online account from an internet |
|---|
| 154 | 154 | | 126protocol address or online location from which the person or agency knows the resident |
|---|
| 155 | 155 | | 127customarily accesses the account. |
|---|