Expansion of Maryland’s Personal Information Act Takes Effect October 1st

Business
Written By Michael Severino

An expansion of Maryland’s Personal Information Protection Act, codified at Md. Code Ann., Comm. Law § 14-3504, goes into effect on October 1st.  Under the existing statute, a business that owns or licenses computerized personal information of a Maryland resident that learns of a breach of the security of its computer system must conduct, in good faith, a reasonable and prompt investigation to determine the likelihood that personal information will be misused.  If it determines that there exists a likelihood that data will be misused, the business must then provide certain notifications to the affected individuals.  The new law also requires those businesses that “maintain” computerized personal information to conduct this initial investigation.  Additionally, the new provisions provide that if the business that incurred the breach is not the owner or the licensee of the information, then that business cannot charge the owner or the licensee a fee for providing it the results of the initial investigation.

 To recap the law:

 •           A business that owns, licenses or maintains computerized personal information of a Maryland resident that learns of a breach of the security of its computer system must conduct, in good faith, a reasonable and prompt investigation to determine the likelihood that personal information will be misused.

 •           If the results of the initial investigation (to be made upon learning of breach) show that there is a likelihood of misuse of the personal information, the owner or licensee must notify the affected individuals as soon as reasonably practical but not later than forty-five days after the conclusion of the initial investigation. 

 •           If the results of the investigation show there does not exist a likelihood of misuse, then the business must maintain records that support this conclusion for three years.

 •           A business that maintains computerized personal data must notify the owner or licensee of a breach as soon as reasonably practical but not later than forty-five days after it discovers or is notified of the breach. 

 These notifications may be delayed in certain circumstances.The statute also requires that the Attorney General’s office be notified before the affected individuals and prescribes the methods and contents of such notice.

Michael Severino
Previous

New non-compete restrictions take effect on October 1st
Next

New Law Imposing Civil Penalties for Violations of Maryland’s Equal Pay Law