Boston: State Senator Benjamin B. Downing (D-Pittsfield) announced today that the Senate has passed legislation providing Massachusetts consumers with greater protections from identity theft. The bill increases requirements on companies and agencies to report security breaches and protect personal information. It also puts tools at consumers’ disposal to protect their credit information.
“This legislation gives consumers more control over outsider access to personal data and requires more stringent protections from entities handling sensitive information. I am proud to be a member of the legislative body that has strengthened consumer protections across the Commonwealth,” stated Downing.
The legislation allows consumers to dictate who has access to their personal information from credit reporting agencies by allowing them to apply a security freeze on their information. The consumer would be required to send notification to the reporting agencies requesting the freeze. Once the reporting agency receives the request, they will send the individual confirmation and an ID and passcode. This passcode will allow the consumer to temporarily unfreeze or completely remove the freeze from the account.
There will be a maximum of a $5 fee to implement, remove, or for each lift of a freeze. The charges, however, will not apply to a victim of identity theft or a victim’s spouse.
“It is time for Massachusetts to protect consumers from identity theft,” said Senate President Murray. “This law empowers consumers and increases the responsibility of companies and agencies that store consumers’ personal and credit information.”
In addition to empowering consumers, the legislation also clearly defines the requirements and responsibilities of businesses and agencies. Specifically, businesses, government agencies and non-profits are required to inform individuals of any security breach where there is the potential that personal information has been accessed and might be used for unlawful activities. The business or agency would provide a written notice or, depending on the number of consumers affected, an appropriate means of notification to the affected individuals.
Businesses and agencies are also directed to properly dispose of personal information, either electronic or paper formats, by measures that include redaction, pulverizing, burning, erasure of electronic data or shredding. Any entities failing to properly dispose of personal information can be fined up to $100 for each data subject affected, but not exceeding $50,000.
The Federal Trade Commission estimates that 9 million people each year are victims of identity theft. The legislation is now on its way to the Governor’s desk to await his signature and final approval.