Businesses operating in the retail and hospitality industries tend to gather a large amount of personal data. In addition to collecting employee data, as consumer-facing entities, retail and hospitality businesses typically gather large volumes of customer data. As such, businesses in these industries can see the significant regulatory impact when states look to make legislative reform in the data privacy space.
In recent years, California and Nevada have received significant attention as the states pushing legislation that protects consumers’ and employees’ data privacy and regulates businesses when a data breach occurs. But Massachusetts recently made significant amendments to its data breach statute, and further legislative reform could soon follow in the form of a comprehensive data privacy statute. The result could place Massachusetts at the forefront of data privacy protection in the United States.
On January 10, 2019, Governor Baker enacted a series of amendments to Chapter 93H of the General Laws, passed as part of a 2018 law, an Act Relative to Consumer Protection from Security Breaches. Among other things, the amendments require companies reporting potential data breaches to the Attorney General’s Office to provide more information about the breach than before, including the perpetrator of the breach (if known) and the type of information compromised, including whether the information included Social Security numbers or financial account numbers. The amendments also require such companies to inform the AGO whether the companies have enacted a written information security program under Chapter 93H, § 2 and 201 CMR 17. As such, companies that do not have WISPs in place risk additional oversight from the AGO, especially if a breach occurs.
The amendments to Chapter 93H also require companies whose data has been breached to provide more robust notice to the potentially impacted Massachusetts residents. In addition to informing residents about their rights regarding police reports and credit freezes, such notice must now identify any parent or affiliate corporation of the company suffering the breach. Nor can a company delay consumer notice on the grounds that the company is still investigating the number of affected Massachusetts residents. The new amendments also require, for any breach that implicates consumers’ Social Security numbers, the affected company to automatically provide impacted residents of the Commonwealth with at least 18 months—or at least 42 months for any credit reporting agency experiencing a breach—of complimentary credit monitoring services without any waiver of the consumer’s right to sue.
January 2019 also saw Senate Bill 120—An Act Relative to Consumer Data Privacy—introduced in the Massachusetts legislature and referred to the Joint Committee on Consumer Protection and Professional Licensure. If enacted, SB 120 would add Chapter 93L to the General Laws, effective January 1, 2023. Proposed Chapter 93L contains a comprehensive set of consumer data privacy provisions and non-waivable consumer rights. For example, it would require covered businesses to provide a detailed notice to consumers before collecting their personal information, which notice would have to disclose the consumer’s right to have information deleted and the consumer’s right to opt out of third-party disclosures of their information. It would also require covered businesses to maintain, on their websites, a mechanism for consumers to make requests regarding information the business has collected.
Covered businesses would not be allowed to retaliate or discriminate against consumers for exercising their rights under Chapter 93L. Perhaps most importantly, consumers whose rights under Chapter 93L have been violated would have a private right of action against the offending business without separate loss of money or property and would be entitled to recover statutory damages of up to $750 per incident (or actual damages, if greater), as well as attorneys’ fees, something that could encourage class action lawsuits. And if the Attorney General’s Office successfully prosecuted violations of Chapter 93L, the offending business would be subject to civil penalties of up to $2,500 for each violation, with such penalties trebled for intentional violations.
If enacted, SB 120 could make Massachusetts one of the foremost jurisdictions in the nation with respect to data privacy. While other states pass laws that contain limited private rights of action or leave it to their judiciary to recognize common law tort remedies for data breaches, and while the federal government remains on the sidelines, Massachusetts may become the standard-bearer for data privacy laws in the United States. Businesses that are based, or do business, in the Commonwealth should ensure compliance with the recent amendments to Chapter 93H and continue to monitor the pending legislation, regardless of industry. Indeed, data privacy issues can reach businesses in all industries, but particularly consumer-facing industries such as the retail and hospitality industries. As such, those businesses should continue to monitor developments in data privacy legislation and keep abreast of best practices when it comes to data security.