| 1 | 1 | | 1 of 1 |
|---|
| 2 | 2 | | HOUSE DOCKET, NO. 3351 FILED ON: 1/17/2025 |
|---|
| 3 | 3 | | HOUSE . . . . . . . . . . . . . . . No. 358 |
|---|
| 4 | 4 | | The Commonwealth of Massachusetts |
|---|
| 5 | 5 | | _________________ |
|---|
| 6 | 6 | | PRESENTED BY: |
|---|
| 7 | 7 | | Michael S. Day |
|---|
| 8 | 8 | | _________________ |
|---|
| 9 | 9 | | To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General |
|---|
| 10 | 10 | | Court assembled: |
|---|
| 11 | 11 | | The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill: |
|---|
| 12 | 12 | | An Act relative to the security of personal financial information. |
|---|
| 13 | 13 | | _______________ |
|---|
| 14 | 14 | | PETITION OF: |
|---|
| 15 | 15 | | NAME:DISTRICT/ADDRESS :DATE ADDED:Michael S. Day31st Middlesex1/17/2025 1 of 6 |
|---|
| 16 | 16 | | HOUSE DOCKET, NO. 3351 FILED ON: 1/17/2025 |
|---|
| 17 | 17 | | HOUSE . . . . . . . . . . . . . . . No. 358 |
|---|
| 18 | 18 | | By Representative Day of Stoneham, a petition (accompanied by bill, House, No. 358) of |
|---|
| 19 | 19 | | Michael S. Day relative to the security of personal financial information. Consumer Protection |
|---|
| 20 | 20 | | and Professional Licensure. |
|---|
| 21 | 21 | | [SIMILAR MATTER FILED IN PREVIOUS SESSION |
|---|
| 22 | 22 | | SEE HOUSE, NO. 281 OF 2023-2024.] |
|---|
| 23 | 23 | | The Commonwealth of Massachusetts |
|---|
| 24 | 24 | | _______________ |
|---|
| 25 | 25 | | In the One Hundred and Ninety-Fourth General Court |
|---|
| 26 | 26 | | (2025-2026) |
|---|
| 27 | 27 | | _______________ |
|---|
| 28 | 28 | | An Act relative to the security of personal financial information. |
|---|
| 29 | 29 | | Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority |
|---|
| 30 | 30 | | of the same, as follows: |
|---|
| 31 | 31 | | 1 SECTION 1: Section 1 of chapter 93H as appearing in the 2022 Official Edition, is |
|---|
| 32 | 32 | | 2hereby amended by striking out said section and inserting in place thereof the following section:- |
|---|
| 33 | 33 | | 3 Section 1. (a) As used in this chapter, the following words shall, unless the context |
|---|
| 34 | 34 | | 4clearly requires otherwise, have the following meanings: |
|---|
| 35 | 35 | | 5 "Access device", a card issued by a financial institution that contains a magnetic stripe, |
|---|
| 36 | 36 | | 6microprocessor chip, or other means for storage of information which includes, but is not limited |
|---|
| 37 | 37 | | 7to, a credit card, debit card, or stored value card. |
|---|
| 38 | 38 | | 8 “Agency”, any agency, executive office, department, board, commission, bureau, division |
|---|
| 39 | 39 | | 9or authority of the commonwealth, or any of its branches, or of any political subdivision thereof. 2 of 6 |
|---|
| 40 | 40 | | 10 “Breach of security”, the unauthorized acquisition or unauthorized use of unencrypted |
|---|
| 41 | 41 | | 11data or, encrypted electronic data and the confidential process or key that is capable of |
|---|
| 42 | 42 | | 12compromising the security, confidentiality, or integrity of personal information, maintained by a |
|---|
| 43 | 43 | | 13person or agency that creates an identifiable risk of identity theft or fraud. A good faith but |
|---|
| 44 | 44 | | 14unauthorized acquisition of personal information by a person or agency, or employee or agent |
|---|
| 45 | 45 | | 15thereof, for the lawful purposes of such person or agency, is not a breach of security unless the |
|---|
| 46 | 46 | | 16personal information is used in an unauthorized manner or subject to further unauthorized |
|---|
| 47 | 47 | | 17disclosure. |
|---|
| 48 | 48 | | 18 “Data”, any material upon which written, drawn, spoken, visual, or electromagnetic |
|---|
| 49 | 49 | | 19information or images are recorded or preserved, regardless of physical form or characteristics. |
|---|
| 50 | 50 | | 20 “Encrypted”, transformation of data through the use of a 128-bit or higher algorithmic |
|---|
| 51 | 51 | | 21process into a form in which there is a low probability of assigning meaning without use of a |
|---|
| 52 | 52 | | 22confidential process or key, unless further defined by regulation of the department of consumer |
|---|
| 53 | 53 | | 23affairs and business regulation. |
|---|
| 54 | 54 | | 24 "Financial institution", any office of a trust company, commercial bank, industrial loan |
|---|
| 55 | 55 | | 25company, savings bank, savings and loan association, cooperative bank or credit union chartered |
|---|
| 56 | 56 | | 26by the commonwealth or by another state of the United States, the District of Columbia, the |
|---|
| 57 | 57 | | 27commonwealth of Puerto Rico, a territory of possession of the United States, or a country other |
|---|
| 58 | 58 | | 28than the United States, or a national banking association, federal savings and loan association, |
|---|
| 59 | 59 | | 29federal savings bank or federal credit union. 3 of 6 |
|---|
| 60 | 60 | | 30 “Information security program”, the administrative, technical, or physical safeguards that |
|---|
| 61 | 61 | | 31a covered entity uses to access, collect, distribute, process, protect, store, use, transmit, dispose |
|---|
| 62 | 62 | | 32of, or otherwise handle personal information. |
|---|
| 63 | 63 | | 33 “Notice”, shall include: |
|---|
| 64 | 64 | | 34 (i) written notice; |
|---|
| 65 | 65 | | 35 (ii) electronic notice, if notice provided is consistent with the provisions regarding |
|---|
| 66 | 66 | | 36electronic records and signatures set forth in § 7001 (c) of Title 15 of the United States Code; |
|---|
| 67 | 67 | | 37and chapter 110G; or |
|---|
| 68 | 68 | | 38 (iii) substitute notice, if the person or agency required to provide notice demonstrates that |
|---|
| 69 | 69 | | 39the cost of providing written notice will exceed $250,000, or that the affected class of |
|---|
| 70 | 70 | | 40Massachusetts residents to be notified exceeds 500,000 residents, or that the person or agency |
|---|
| 71 | 71 | | 41does not have sufficient contact information to provide notice. |
|---|
| 72 | 72 | | 42 “Person”, a natural person, corporation, association, partnership or other legal entity. |
|---|
| 73 | 73 | | 43 “Personal information”, a resident’s first name and last name or first initial and last name |
|---|
| 74 | 74 | | 44in combination with any 1 or more of the following data elements that relate to such resident: |
|---|
| 75 | 75 | | 45 (a) Social Security number; |
|---|
| 76 | 76 | | 46 (b) driver’s license number or state-issued identification card number; |
|---|
| 77 | 77 | | 47 (c) financial account number, or credit or debit card number, with or without any required |
|---|
| 78 | 78 | | 48security code, access code, personal identification number or password, that would permit access |
|---|
| 79 | 79 | | 49to a resident’s financial account; or 4 of 6 |
|---|
| 80 | 80 | | 50 (d) biometric indicator of the consumer used to gain access to financial accounts of the |
|---|
| 81 | 81 | | 51consumer; provided, however, that “Personal information” shall not include information that is |
|---|
| 82 | 82 | | 52lawfully obtained from publicly available information, or from federal, state or local government |
|---|
| 83 | 83 | | 53records lawfully made available to the general public. |
|---|
| 84 | 84 | | 54 "Service provider", a person or entity that stores, processes, or transmits access device |
|---|
| 85 | 85 | | 55data on behalf of another person or entity. |
|---|
| 86 | 86 | | 56 “Substitute notice”, shall consist of all of the following: |
|---|
| 87 | 87 | | 57 (i) electronic mail notice, if the person or agency has electronic mail addresses for the |
|---|
| 88 | 88 | | 58members of the affected class of Massachusetts residents; |
|---|
| 89 | 89 | | 59 (ii) clear and conspicuous posting of the notice on the home page of the person or agency |
|---|
| 90 | 90 | | 60if the person or agency maintains a website; and |
|---|
| 91 | 91 | | 61 (iii) publication in or broadcast through media or medium that provides notice throughout |
|---|
| 92 | 92 | | 62the commonwealth. |
|---|
| 93 | 93 | | 63 (b) The department of consumer affairs and business regulation may adopt regulations, |
|---|
| 94 | 94 | | 64from time to time, to revise the definition of “encrypted”, as used in this chapter, to reflect |
|---|
| 95 | 95 | | 65applicable technological advancements. |
|---|
| 96 | 96 | | 66 SECTION 2. Section 2 of said chapter 93H is hereby further amended by striking out the |
|---|
| 97 | 97 | | 67first paragraph and inserting in place thereof the following paragraphs:- |
|---|
| 98 | 98 | | 68 Section 2. (a) The department of consumer affairs and business regulation shall adopt |
|---|
| 99 | 99 | | 69regulations relative to any person that owns or licenses personal information about a resident of |
|---|
| 100 | 100 | | 70the commonwealth. Such regulations shall require a person subject to this chapter to develop, 5 of 6 |
|---|
| 101 | 101 | | 71implement, and maintain a comprehensive information security program that contains |
|---|
| 102 | 102 | | 72administrative, technical, and physical safeguards that are reasonably designed to (1) ensure the |
|---|
| 103 | 103 | | 73security and confidentiality of personal information of residents of the commonwealth, (2) |
|---|
| 104 | 104 | | 74protect against any anticipated threats or hazards to the security or integrity of such information; |
|---|
| 105 | 105 | | 75and (3) protect against unauthorized acquisition of such information that could result in |
|---|
| 106 | 106 | | 76substantial harm to the individuals to whom such information relates. |
|---|
| 107 | 107 | | 77 The regulations shall require a person subject to this chapter to (1) designate an employee |
|---|
| 108 | 108 | | 78or employees to coordinate the information security program, (2) identify reasonably foreseeable |
|---|
| 109 | 109 | | 79internal and external risks to the security, confidentiality, and integrity of sensitive financial |
|---|
| 110 | 110 | | 80account information and sensitive personal information and assess the sufficiency of any |
|---|
| 111 | 111 | | 81safeguards in place to control these risks, including consideration of risks in each relevant area of |
|---|
| 112 | 112 | | 82the covered entity’s operations, (3) design and implement information safeguards to control the |
|---|
| 113 | 113 | | 83risks identified in its risk assessment, and regularly assess the effectiveness of the safeguards’ |
|---|
| 114 | 114 | | 84key controls, systems, and procedures, and (4) oversee third-party service providers by taking |
|---|
| 115 | 115 | | 85reasonable steps to select and retain third-party service providers that are capable of maintaining |
|---|
| 116 | 116 | | 86appropriate safeguards for personal information and requiring third-party service providers by |
|---|
| 117 | 117 | | 87contract to implement and maintain such safeguards. |
|---|
| 118 | 118 | | 88 A person shall be deemed to be in compliance with this chapter if it is subject to 15 |
|---|
| 119 | 119 | | 89U.S.C. 6801, 42 U.S.C. 1320d–2, or 42 U.S.C. 17932 and 17937 and the regulations |
|---|
| 120 | 120 | | 90promulgated under these sections. |
|---|
| 121 | 121 | | 91 SECTION 3: Section 3 of said chapter 93H is hereby further amended by striking out the |
|---|
| 122 | 122 | | 92third paragraph and inserting in place thereof the following paragraph:- The notice to be 6 of 6 |
|---|
| 123 | 123 | | 93provided to the resident shall include, but not be limited to, the consumer’s right to obtain a |
|---|
| 124 | 124 | | 94police report, how a consumer requests a security freeze and the necessary information to be |
|---|
| 125 | 125 | | 95provided when requesting the security freeze, and any fees required to be paid to any of the |
|---|
| 126 | 126 | | 96consumer reporting agencies. |
|---|