Amendments to Data Breach Notification Statute in Maryland Take Effect January 1, 2018

Amendments to the Maryland Personal Information Protection Act took effect January 1, 2018. The amendments primarily expand the definition of what constitutes “personal information” and include specifications regarding notification procedures in the event of a breach.

Prior to the amendments taking effect, the definition of “personal information” was limited to an individual’s first name or first initial and last name in combination with the following information when not encrypted or otherwise protected to make it unreadable or unusable: a social security number; a driver’s license number; a financial account number, including a credit card number or debit card number, in combination with any security or access code or password that would permit access to the individual’s financial account; or an individual taxpayer identification number. Under the amendments, the definition of “personal information” has been expanded to include: a taxpayer identification number, passport number, or other identification number issued by the federal government; a state identification card number; health information, including information about an individual’s mental health; a health insurance policy or certificate number or health insurance subscriber identification number that, in combination with “a unique identifier used by an insurer or an employer that is self-insured,” permits access to the individual’s health information; biometric data generated by automatic measurements of an individual’s biological characteristics, such as fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic that can be used to authenticate the individual’s identity; and a user name or email address in combination with a password or security question and answer that permits access to an individual’s email account. The amendments define “health information” as any information protected by the Health Insurance Portability and Accountability Act (“HIPAA”).

Previously, the statute imposed requirements on businesses when destroying a customer’s “personal information.” Now the amendments apply those procedures to the destruction of “personal information” for current and former employees too.

Another significant requirement of the amendments is the time within which notification must be provided when there is a data breach. Previously, a business had to provide notification “as soon as reasonably practicable” after it determined a misuse of personal information has occurred or is likely to occur as a result of a data breach. Now the amendments require a business to provide notice to affected individuals if it determines that a data breach “creates a likelihood that personal information has been or will be misused” and the notification must be given “as soon as reasonably practicable, but not later than 45 days after the business concludes” its investigation into a suspected data breach. Similarly, when a business “maintains computerized data that includes personal information of an individual residing in [Maryland] that the business does not own or license,” the business also shall notify the owner or licensee of the personal information of the breach as soon as practicable, but no later than 45 days after discovering the breach. There are certain limited exceptions where the notification can be delayed.

Lastly, the amendments also include an alternative notification procedure when a data breach involves only information that permits access to an individual’s email account. In that case, the company may provide notice that directs the individual whose personal information has been breached to promptly: (1) change the account password and security question or answer; or (2) take other steps “appropriate to protect the email account” and “all other online accounts for which the individual uses the user name or email and password or security question or answer.” If the notice given to the affected individuals is to be given electronically, there are certain limitations on when/how that notice can be provided, namely that the notice be “clear and conspicuous” and “delivered to the individual online while the individual is connected to the affected email account from an Internet protocol address or online location from which the business knows the individual customarily accesses the account.”

With data breaches becoming more common, it is important that businesses understand their obligations in the event of a breach. With requirements varying by state, as well as at the federal and international level, it is important to conduct a comprehensive review of potentially applicable laws so that businesses understand how to respond, not only substantively but procedurally and timely, in the event of a data breach. With respect to companies affected by the Maryland Personal Information Protection Act, it is important to keep in mind that this post focuses on the amendments that took effect earlier this year and there are additional obligations for companies to follow in terms of data protection that were in effect prior to the amendments.

If you have any questions regarding this post, please contact Stephen B. Stern at or (410) 260-6585 or Amitis Darabnia at or (410) 260-6592.

DISCLAIMER: This Blog/Website is for educational purposes and to provide readers with general information about developments in the law. This Blog/Website is not intended and should not be relied on for legal advice. This Blog/Website does not constitute an advertisement for legal services and it does not endorse, promote, or recommend the products, services, or websites of any third party. Reading, reviewing, or any other use of this Blog/Website does not create an attorney-client relationship between the reader and the firm or any attorney at the firm.

Leave a Comment

Your email address will not be published.