The bill aims to enhance the security of personal information by amending Chapter 93H of the General Laws. Key changes include the removal of the existing definition of "Agency" and the introduction of new definitions such as "Access device," "Biometric indicator," "Information security program," and "Neural data." The definition of "Personal information" has been expanded to include various data elements, such as biometric indicators and neural data, while also clarifying what does not constitute personal information. Additionally, the bill revises the definition of "Substitute notice" to outline specific methods of notification in the event of a data breach.

Furthermore, the bill mandates the Department of Consumer Affairs and Business Regulation to adopt regulations that ensure the safeguarding of personal information, taking into account the size and scope of businesses. It also specifies the content of breach notification to affected residents, including their rights and available mitigation services. Notably, the bill allows for exceptions to notification requirements in cases of inadvertent disclosures, provided that a written determination is made and maintained. Overall, these amendments aim to strengthen the protection of personal information for residents of the Commonwealth.

Statutes affected:
Bill Text: 93H-1