1 of 1
HOUSE DOCKET, NO. 3351 FILED ON: 1/17/2025
HOUSE . . . . . . . . . . . . . . . No. 358
The Commonwealth of Massachusetts
_________________
PRESENTED BY:
Michael S. Day
_________________
To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General
Court assembled:
The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill:
An Act relative to the security of personal financial information.
_______________
PETITION OF:
NAME:DISTRICT/ADDRESS :DATE ADDED:Michael S. Day31st Middlesex1/17/2025 1 of 6
HOUSE DOCKET, NO. 3351 FILED ON: 1/17/2025
HOUSE . . . . . . . . . . . . . . . No. 358
By Representative Day of Stoneham, a petition (accompanied by bill, House, No. 358) of
Michael S. Day relative to the security of personal financial information. Consumer Protection
and Professional Licensure.
[SIMILAR MATTER FILED IN PREVIOUS SESSION
SEE HOUSE, NO. 281 OF 2023-2024.]
The Commonwealth of Massachusetts
_______________
In the One Hundred and Ninety-Fourth General Court
(2025-2026)
_______________
An Act relative to the security of personal financial information.
Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority
of the same, as follows:
1 SECTION 1: Section 1 of chapter 93H as appearing in the 2022 Official Edition, is
2hereby amended by striking out said section and inserting in place thereof the following section:-
3 Section 1. (a) As used in this chapter, the following words shall, unless the context
4clearly requires otherwise, have the following meanings:
5 "Access device", a card issued by a financial institution that contains a magnetic stripe,
6microprocessor chip, or other means for storage of information which includes, but is not limited
7to, a credit card, debit card, or stored value card.
8 “Agency”, any agency, executive office, department, board, commission, bureau, division
9or authority of the commonwealth, or any of its branches, or of any political subdivision thereof. 2 of 6
10 “Breach of security”, the unauthorized acquisition or unauthorized use of unencrypted
11data or, encrypted electronic data and the confidential process or key that is capable of
12compromising the security, confidentiality, or integrity of personal information, maintained by a
13person or agency that creates an identifiable risk of identity theft or fraud. A good faith but
14unauthorized acquisition of personal information by a person or agency, or employee or agent
15thereof, for the lawful purposes of such person or agency, is not a breach of security unless the
16personal information is used in an unauthorized manner or subject to further unauthorized
17disclosure.
18 “Data”, any material upon which written, drawn, spoken, visual, or electromagnetic
19information or images are recorded or preserved, regardless of physical form or characteristics.
20 “Encrypted”, transformation of data through the use of a 128-bit or higher algorithmic
21process into a form in which there is a low probability of assigning meaning without use of a
22confidential process or key, unless further defined by regulation of the department of consumer
23affairs and business regulation.
24 "Financial institution", any office of a trust company, commercial bank, industrial loan
25company, savings bank, savings and loan association, cooperative bank or credit union chartered
26by the commonwealth or by another state of the United States, the District of Columbia, the
27commonwealth of Puerto Rico, a territory of possession of the United States, or a country other
28than the United States, or a national banking association, federal savings and loan association,
29federal savings bank or federal credit union. 3 of 6
30 “Information security program”, the administrative, technical, or physical safeguards that
31a covered entity uses to access, collect, distribute, process, protect, store, use, transmit, dispose
32of, or otherwise handle personal information.
33 “Notice”, shall include:
34 (i) written notice;
35 (ii) electronic notice, if notice provided is consistent with the provisions regarding
36electronic records and signatures set forth in § 7001 (c) of Title 15 of the United States Code;
37and chapter 110G; or
38 (iii) substitute notice, if the person or agency required to provide notice demonstrates that
39the cost of providing written notice will exceed $250,000, or that the affected class of
40Massachusetts residents to be notified exceeds 500,000 residents, or that the person or agency
41does not have sufficient contact information to provide notice.
42 “Person”, a natural person, corporation, association, partnership or other legal entity.
43 “Personal information”, a resident’s first name and last name or first initial and last name
44in combination with any 1 or more of the following data elements that relate to such resident:
45 (a) Social Security number;
46 (b) driver’s license number or state-issued identification card number;
47 (c) financial account number, or credit or debit card number, with or without any required
48security code, access code, personal identification number or password, that would permit access
49to a resident’s financial account; or 4 of 6
50 (d) biometric indicator of the consumer used to gain access to financial accounts of the
51consumer; provided, however, that “Personal information” shall not include information that is
52lawfully obtained from publicly available information, or from federal, state or local government
53records lawfully made available to the general public.
54 "Service provider", a person or entity that stores, processes, or transmits access device
55data on behalf of another person or entity.
56 “Substitute notice”, shall consist of all of the following:
57 (i) electronic mail notice, if the person or agency has electronic mail addresses for the
58members of the affected class of Massachusetts residents;
59 (ii) clear and conspicuous posting of the notice on the home page of the person or agency
60if the person or agency maintains a website; and
61 (iii) publication in or broadcast through media or medium that provides notice throughout
62the commonwealth.
63 (b) The department of consumer affairs and business regulation may adopt regulations,
64from time to time, to revise the definition of “encrypted”, as used in this chapter, to reflect
65applicable technological advancements.
66 SECTION 2. Section 2 of said chapter 93H is hereby further amended by striking out the
67first paragraph and inserting in place thereof the following paragraphs:-
68 Section 2. (a) The department of consumer affairs and business regulation shall adopt
69regulations relative to any person that owns or licenses personal information about a resident of
70the commonwealth. Such regulations shall require a person subject to this chapter to develop, 5 of 6
71implement, and maintain a comprehensive information security program that contains
72administrative, technical, and physical safeguards that are reasonably designed to (1) ensure the
73security and confidentiality of personal information of residents of the commonwealth, (2)
74protect against any anticipated threats or hazards to the security or integrity of such information;
75and (3) protect against unauthorized acquisition of such information that could result in
76substantial harm to the individuals to whom such information relates.
77 The regulations shall require a person subject to this chapter to (1) designate an employee
78or employees to coordinate the information security program, (2) identify reasonably foreseeable
79internal and external risks to the security, confidentiality, and integrity of sensitive financial
80account information and sensitive personal information and assess the sufficiency of any
81safeguards in place to control these risks, including consideration of risks in each relevant area of
82the covered entity’s operations, (3) design and implement information safeguards to control the
83risks identified in its risk assessment, and regularly assess the effectiveness of the safeguards’
84key controls, systems, and procedures, and (4) oversee third-party service providers by taking
85reasonable steps to select and retain third-party service providers that are capable of maintaining
86appropriate safeguards for personal information and requiring third-party service providers by
87contract to implement and maintain such safeguards.
88 A person shall be deemed to be in compliance with this chapter if it is subject to 15
89U.S.C. 6801, 42 U.S.C. 1320d–2, or 42 U.S.C. 17932 and 17937 and the regulations
90promulgated under these sections.
91 SECTION 3: Section 3 of said chapter 93H is hereby further amended by striking out the
92third paragraph and inserting in place thereof the following paragraph:- The notice to be 6 of 6
93provided to the resident shall include, but not be limited to, the consumer’s right to obtain a
94police report, how a consumer requests a security freeze and the necessary information to be
95provided when requesting the security freeze, and any fees required to be paid to any of the
96consumer reporting agencies.