• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

Maryland Amends Data Breach and Reasonable Security Requirements

July 5, 2022 By Kim Peretti, Kate Hanniford and Lance Taubin

Maryland recently passed House Bill 962, amending Maryland’s Personal Information Protection Act (PIPA) (Md. Code Ann. Comm. Law 14-3504). As summarized below, House Bill 962 amends certain aspects of PIPA relating to breach notification and maintaining reasonable security measures to protect personal information. The bill becomes effective October 1, 2022.

  1. Reasonable Security: Beginning October 1, 2022, businesses that maintain personal information of Maryland residents must implement and maintain “reasonable security” safeguards that are appropriate to the nature of the personal information maintained and the nature and size of the business and its operations. Previously the “reasonable security” requirements applied only to businesses that own or license such information, not those that maintain personal information. The bill does not specify the types of security safeguards that should be implemented and maintained, unlike other states’ reasonable security statutes (such as NY SHIELD Act).
  2. Notice to Attorney General: Maryland expanded the content requirements for notifications to the Attorney General. Notifications must now include the number of affected Maryland individuals, a description of the security breach, inclusive of when and how the breach occurred, any remediation steps the company has or plans to take in response to the security breach, and a sample notification letter that was sent to individuals.
  3. Notification Timing: Businesses that maintain personal information on behalf of a data owner must notify the data owner of a security breach as soon as reasonably practicable, but within 10 days of discovering or being notified of the security breach. Previously, businesses that maintained personal information had significantly more time to notify the data owner – up to 45 days. Further, for businesses that own or license personal information that have delayed notifying individuals due to a law enforcement investigation, notification must be made as soon as reasonably practicable and within seven days after law enforcement determines that notification will not impact the investigation. Previously, businesses had 30 days. The narrower notification timelines may help individuals mitigate any potential impact from the security breach, such as identity theft.
  4. Definition of Personal Information: Maryland was already one of few states that explicitly included “genetic information” in the definition of “personal information,” but now, House Bill 962 expands and specifies what is considered genetic information subject to data breach notification requirements.  Genetic information is any data that results from the analysis of a biological sample of the individual or equivalent information that concerns genetic material. Genetic information also specifically includes DNA, RNA, genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms, and information extrapolated, derived or inferred from the above referenced information concerning genetic material.

For guidance related to Maryland’s PIPA, please contact our Privacy, Cyber & Data Strategy Team.

 

Filed Under: Data Breach, Data Protection, Data Security, Security Breach

About Kim Peretti

A former DOJ cybercrime prosecutor and former director of PwC's cyber forensics group, Kim delivers top of the line cyber risk management and information security counsel to her clients. As co-leader of our Privacy, Cyber & Data Strategy Team, Kim is recognized by select publications and is frequently quoted by the media.

[Read Bio]

About Kate Hanniford

Kate Hanniford is a senior associate with Alston & Bird’s Privacy, Cyber & Data Strategy Team. . She focuses her practice on cybersecurity counseling, as well as federal securities law compliance, enforcement, and litigation.

[Read Bio]

About Lance Taubin

Lance Taubin is an associate with Alston & Bird’s Privacy, Cyber & Data Strategy team. He advises clients on data privacy and cybersecurity compliance and enforcement, managing cyber risk, breach investigations, and response and transactional diligence.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Recent Exploits of Blockchain Bridges Highlight Need for Cybersecurity in Crypto and Risk of Liability
  • Germany’s Cyber Threat Landscape – Top 3 Lessons from the BKA Situation Report
  • CPPA Board Opposes American Data Privacy and Protection Act
  • SEC Settles Enforcement Actions with Broker-Dealers and Investment Advisors for Identity Protection Deficiencies
  • UK Information Commissioner’s Office Issues Warning on Ransomware Payments
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.