Maryland Personal Information Protection Act (“PIPA”) (Security Breach)
Md. Code Ann. Comm. Law § 14-3501 - § 14-3508
SUMMARY:
EFFECTIVE. January 1, 2008
WHO DOES THIS LAW APPLY TO. (1) Any business that owns or licenses computerized data that includes Personal Information; and (2) any business that maintains computerized data that includes Personal Information.
WHAT IS A BREACH. Unauthorized acquisition of computerized data that compromises the security, integrity or confidentiality of Personal Information maintained by a business. A good faith acquisition of Personal Information by an employee or agent of a business for internal purposes only is not a breach, if it is not used or subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or data element is not encrypted, redacted, or secured by any other method rendering the element unreadable or unusable:
-
Social Security Number or tax identification number.
-
Driver’s license number.
-
Account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
-
Passport numbers and other identification numbers issued by the federal government.
-
State identification card numbers.
-
Health information, defined to include any information created by an entity covered by HIPAA regarding an individual’s medical history, condition, treatment, or diagnosis.
-
A health insurance policy, certificate number, or health insurance subscriber identification number, in combination with a unique identifier that permits access to the information.
-
Biometric data, such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic that can be used to uniquely authenticate a person’s identity upon accessing a system or account.
-
A username or email address in combination with a password or security question and answer that permits access to the account.
Personal Information does not include information that:
-
Is publicly and lawfully available from Federal, State, or local government records.
-
An individual has consented to have publicly distributed or listed.
-
Is distributed or listed in accordance with the Federal Health Insurance Portability and Accountability Act.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must first be sent to the Office of the Attorney General, followed by notice to the affected residents when a business discovers or is notified of a security breach. The notice shall include:
-
A description of the data elements acquired.
-
Address and telephone number (including toll-free number, if applicable) for the business giving notice.
-
Toll-free telephone numbers and addresses for the major consumer reporting agencies.
-
Toll-free telephone numbers, physical and website addresses for the Federal Trade Commission (“FTC”) and the Office of the attorney General (“Attorney General”).
-
A statement that explains information may be obtained from the FTC and Attorney General on how to avoid identity theft.
If more than 1,000 residents are involved in a breach, the business shall also notify, without unreasonable delay, all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a(p)), of the timing, distribution (excluding names) and content of the notices.
EXCEPTION. This Section does not apply to the following:
-
No notification is required if the business, after a reasonable investigation, determines that misuse of the Personal Information has not occurred or is not reasonably likely to occur. However, the business must maintain records of such determination for three (3) years.
-
A business that is regulated by State or Federal law and maintains procedures for a security breach pursuant to the State or Federal laws or rules, is considered in compliance with this Section, if the affected residents are notified in accordance with such policies.
-
A business that is subject to and in compliance with the Federal Gramm-Leach Bliley Act, the Federal Fair and Accurate Transactions Act, the Federal Interagency Guidelines Establishing Information Security Standards and the Federal Interagency Guidance on Response Programs for Unauthorized Access to Consumer Information and Consumer Notice, are considered in compliance with this Section.
WHEN TO NOTIFY OF THE BREACH. The disclosure shall be made as soon as reasonable practicable following discovery or notification of a security breach, but notice must not be provided later than 45 days after the business has concluded its investigation. Notification may be delayed if it will impede a criminal investigation or jeopardize national security, or for the time necessary to determine the scope of the breach, identify the affected individuals and restore the integrity of the data system. If notice is delayed, notification shall be given as soon as possible following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written (to the most recent address on file with the business).
-
Telephonic.
-
Electronic (if it is the primary means of communication or the individual has consented to electronic notice).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the business can demonstrate that the cost of providing notice will exceed $100,000, the affected class of persons to be notified exceeds 175,000, or the business has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the business has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the business if one is maintained.
-
Notification to major statewide media.
If the breach involves only the loss of personal information that enables access to an individual’s email account. Subject to certain exceptions, the business may provide the substitute form of notice:
-
Provide notice electronically that directs the person to change the password and security questions and answers.
-
Take other steps appropriate to protect the email account with the business and all other online accounts for which the individual uses the same username or email and password or security questions or answers.
This form of substitute notice must be given by a clear and conspicuous notice delivered to the individual online while the individual is connected to the affected email account from an internet protocol address or online location from which the business knows the individual customarily accesses the account.
NOTICE TO THIRD-PARTIES. If a business maintains computerized data that includes Personal Information that it does not own, then it shall notify the owner or licensee of a security breach and related information. The business that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. Violations are covered under Title 13 which includes the Unfair or Deceptive Trade Practices Act. Enforcement of violations are by the Attorney General or by civil lawsuit which includes:
-
Court order prohibiting any further violations.
-
Recovery of attorney’s fees and costs.
-
Jail for up to 1 year.
-
Recovery of damages.
-
First violation. -- A merchant who engages in a violation of this title is subject to a fine of not more than $ 1,000 for each violation.
-
Subsequent violation. -- A merchant who has been found to have engaged in a violation of this title and who subsequently repeats the same violation is subject to a fine of not more than $ 5,000 for each subsequent violation.
-
Factors affecting penalty amount. -- The Consumer Protection Division shall consider the following in setting the amount of the penalty imposed in an administrative proceeding:
-
(1) The severity of the violation for which the penalty is assessed;
(2) The good faith of the violator;
(3) Any history of prior violations;
(4) Whether the amount of the penalty will achieve the desired deterrent purpose; and
(5) Whether the issuance of a cease and desist order, including restitution, is insufficient for the protection of consumers.
PRIVATE RIGHT OF ACTION. Yes. Consumers may bring an action under Title 13 of the Maryland Code for the Unfair and Deceptive Trade Practices Act.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. Md. Com. Law § 14-3502. When a business is destroying a customer’s, an employee’s, or a former employee’s records that contain personal information of the customer, employee, or former employee, the business shall take reasonable steps to protect against unauthorized access to or use of the personal information, taking into account: (1) The sensitivity of the records; (2) The nature and size of the business and its operations; (3) The costs and benefits of different destruction methods; and (4) Available technology.
LEGISLATIVE UPDATES.
H.B. 208 – Signed into law on 4/3/2007, Effective 1/1/2008.
H.B. 974 – Signed into law on 5/4/2017, Effective 1/1/2018.
For more information, see here: https://mgaleg.maryland.gov/mgawebsite/Laws/StatuteText?article=gcl§ion=14-3501&enactments=false
AND
https://www.marylandattorneygeneral.gov/Pages/IdentityTheft/businessGL.aspx
AND
https://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.