Maryland recently passed House Bill 962, amending Maryland’s Personal Information Protection Act (PIPA) (Md. Code Ann. Comm. Law 14-3504). As summarized below, House Bill 962 amends certain aspects of PIPA relating to breach notification and maintaining reasonable security measures to protect personal information. The bill becomes effective October 1, 2022.
- Reasonable Security: Beginning October 1, 2022, businesses that maintain personal information of Maryland residents must implement and maintain “reasonable security” safeguards that are appropriate to the nature of the personal information maintained and the nature and size of the business and its operations. Previously the “reasonable security” requirements applied only to businesses that own or license such information, not those that maintain personal information. The bill does not specify the types of security safeguards that should be implemented and maintained, unlike other states’ reasonable security statutes (such as NY SHIELD Act).
- Notice to Attorney General: Maryland expanded the content requirements for notifications to the Attorney General. Notifications must now include the number of affected Maryland individuals, a description of the security breach, inclusive of when and how the breach occurred, any remediation steps the company has or plans to take in response to the security breach, and a sample notification letter that was sent to individuals.
- Notification Timing: Businesses that maintain personal information on behalf of a data owner must notify the data owner of a security breach as soon as reasonably practicable, but within 10 days of discovering or being notified of the security breach. Previously, businesses that maintained personal information had significantly more time to notify the data owner – up to 45 days. Further, for businesses that own or license personal information that have delayed notifying individuals due to a law enforcement investigation, notification must be made as soon as reasonably practicable and within seven days after law enforcement determines that notification will not impact the investigation. Previously, businesses had 30 days. The narrower notification timelines may help individuals mitigate any potential impact from the security breach, such as identity theft.
- Definition of Personal Information: Maryland was already one of few states that explicitly included “genetic information” in the definition of “personal information,” but now, House Bill 962 expands and specifies what is considered genetic information subject to data breach notification requirements. Genetic information is any data that results from the analysis of a biological sample of the individual or equivalent information that concerns genetic material. Genetic information also specifically includes DNA, RNA, genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms, and information extrapolated, derived or inferred from the above referenced information concerning genetic material.
For guidance related to Maryland’s PIPA, please contact our Privacy, Cyber & Data Strategy Team.