Bill > S184

This bill amends existing Massachusetts law, Chapter 93H, to strengthen the security of personal financial information by updating definitions and adding new provisions. Key changes include defining terms like "access device" (e.g., credit or debit cards), "breach of security" (unauthorized access or use of data that risks identity theft or fraud), and "encrypted" (data transformed to be unreadable without a key, with a minimum standard of 128-bit encryption). The bill also clarifies that notice of a breach can be provided electronically or through substitute means if traditional methods are impractical. Importantly, it prohibits businesses that accept payment cards from retaining sensitive data like card security codes or full magnetic stripe data after a transaction is authorized, with a 48-hour exception for PIN debit transactions, and makes businesses liable for costs incurred by financial institutions to protect cardholders in the event of a breach. Finally, it allows businesses to comply with federal data security regulations if they also notify Massachusetts residents, the Attorney General, and the Director of the Office of Consumer Affairs and Business Regulation of any breaches.