Section 3A. (a) If a person knows or has reason to know that said person experienced an incident that requires notice pursuant to section 3 and such breach of security includes a social security number, the person shall contract with a third party to offer to each resident whose social security number was disclosed in the breach of security or is reasonably believed to have been disclosed in the breach of security, credit monitoring services at no cost to said resident for a period of not less than 18 months; provided, however, that if the person that has experienced a breach of security is a consumer reporting agency, then said consumer reporting agency shall contract with a third party to offer each resident whose social security number was disclosed in the breach of security or is reasonably believed to have been disclosed in the breach of security, credit monitoring services at no cost to such resident for a period of not less than 42 months. Said contracts shall not include reciprocal agreements for services in lieu of payment or fees. The person or agency shall provide all information necessary for the resident to enroll in credit monitoring services and shall include information on how the resident may place a security freeze on the resident's consumer credit report.
(b) A person that experienced a breach of security shall not require a resident to waive the resident's right to a private right of action as a condition of the offer of credit monitoring services.
(c) The department of consumer affairs and business regulation may promulgate regulations interpreting and applying this section.
Structure Massachusetts General Laws
Part I - Administration of the Government
Title XV - Regulation of Trade
Chapter 93h - Security Breaches
Section 2 - Regulations to Safeguard Personal Information of Commonwealth Residents
Section 3 - Duty to Report Known Security Breach or Unauthorized Use of Personal Information