Bill > S545

This bill amends existing law to strengthen the security of personal financial information by defining key terms like "access device" (e.g., credit or debit cards), "breach of security" (unauthorized acquisition or use of data that risks identity theft), and "personal information" (which includes Social Security numbers, driver's license numbers, or financial account details). It prohibits businesses in Massachusetts that accept payment cards from retaining sensitive data like card security codes or full magnetic stripe data after a transaction is authorized, with a 48-hour grace period for PIN debit transactions. If a breach of security occurs due to a violation of these rules or a failure to take reasonable security measures, the responsible person or entity is liable for damages to the financial institution that issued the affected payment cards, covering costs like reissuing cards, closing accounts, and notifying customers. The bill also clarifies that compliance with certain federal data security procedures can satisfy state requirements, provided the Attorney General and the director of the office of consumer affairs and business regulation are notified of any breaches.