Consumers will be able to receive free credit monitoring after a data breach and “security freezes” under a new law signed by Massachusetts Gov. Charlie Baker.

The law, which takes effect in 90 days, also requires entities that hold consumer data and have been hit with a security breach to offer free credit monitoring in some situations.

Identity thieves often seek to open credit accounts with information stolen through data breaches. A “freeze” of credit files is one safeguard available to consumers.

Credit reporting agencies will be required to provide a “security freeze” free of charge when a consumer requests it. The provision is similar to a federal law passed in September 2018.

Separately, the new Massachusetts law also requires third parties to gain consumers’ written consent before obtaining credit reports for non-credit purposes.

“The improvements made to Massachusetts laws in this legislation are necessary to protect consumers from the consequences of data breaches that could expose personal information and to give consumers more control over their data and how it is used,” Baker said in a statement.

The law is a response to the 2017 data breach at Equifax, which is among the country’s largest credit monitoring agencies. The law also comes after the Marriott hotel chain said a security breach affected 500 million customers.

In its credit monitoring offer after the breach, Equifax inserted a clause seeking to prevent consumers from suing them or joining a class action suit.

The law signed by Baker prohibits such clauses in credit monitoring offers.

“This is good news and offers consumers new tools to protect themselves from identity theft after a security breach like the recently announced ones at Equifax and Marriott,” said Deirdre Cummings, legislative director for the consumer advocacy group MASSPIRG.

MASSPIRG noted that Equifax and the other two major credit bureaus, TransUnion and Experian, previously had been charging $5 per credit freeze.

Under the new law, credit reporting agencies must provide at least 3.5 years of free monitoring to affected people if a security breach includes the theft of Social Security numbers. All other entities must provide at least 1.5 years of free credit monitoring.

“While a good first step, we still have some more work to do to hold companies accountable for failing to properly safeguard our personal information,” Cummings said.