Maryland
|
Click here to review text of state statute (see Md. Code Com. Law, Title 14, §§ 14-3501 et seq.) (For specific rules applicable to state and government agencies – see also Md. State Govt. Code, Title 10, §§ 10-1301 et seq.) (For specific rules applicable to the insurance industry – click here.) |
Information Covered / Important Definitions
Information covered:
Personal information of Maryland residents
Definition includes:
- Individual Taxpayer Identification Number.
- Passport Number and other ID numbers issued by federal govt
- State ID card numbers
- Health information (any information created by an entity covered by HIPAA regarding an individual’s medical history, condition, treatment or diagnosis
- A health insurance policy, certificate, number or health insurance subscribe number in combination with a unique ID that permits access to the information
- Biometric data
- Genetic Data
- User name or email address in combination with a password or security Q&A
Important definitions:
“Security Breach” means unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information.
"Encrypted" means the transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key.
Covered Entities* / Third Party Recipients
Subject to statute:
Any business that owns or licenses personal information of an individual residing in Maryland.
Third party recipients:
A business that maintains computerized data that includes personal information that the business does not own or license must notify the owner or licensee of the information of any security breach as soon as reasonably practicable but no later than ten (10) days after discovery if it is likely that the breach has resulted or will result in misuse of personal information of a Maryland resident.
Notice Procedures & Timing / Other Obligations
Written, electronic or telephonic notice must be provided to victims of a security breach as soon as reasonably practicable but no later than forty-five (45) days after the business discovers or is notified of the breach of the security of a system, unless a law enforcement agency determines that the notification will impede a criminal investigation or jeopardize homeland or national security (in which case notification is delayed until seven (7) days after the law enforcement agency determines that notification will not impede an investigation).
- Specific requirements for the content of the notice are detailed in statute.
- Substitute notice is available by means prescribed in the statute if the covered entity does not have sufficient contact information.
- Notification not required if, after investigation, the business determines that misuse of the personal information has not occurred or is not reasonably likely to occur. Records of such determination must be maintained for three years.
Other obligations:
If the business that incurs the security breach is not the owner or licensee of personal information, that business may not charge the relevant owner or licensee for information necessary to carry out the owner or licensee’s notification obligations under the breach law.
Owners and licensees of computerized data are prohibited from using information relative to a breach for purposes other than: 1) providing notification of the breach; 2) protecting or securing personal information; or 3) providing notification to national information security organizations to alert and avert new or expanded breaches.
Any business that must notify more than 1,000 consumers at one time of a security breach is also required to notify consumer reporting agencies of the security breach without unreasonable delay.
Businesses must implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information owned, maintained, or licensed and the nature and size of its business.
Businesses must take reasonable steps to protect personal information when destroying customer records.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor: Statute not applicable if the personal data that was lost, stolen or accessed by an unauthorized individual is encrypted.
Other exemptions:
Exemption for good faith acquisition of personal information by an employee or agent of a business for the purpose of the business so long as personal information is not used or subject to further unauthorized disclosure.
A business that is subject to and in compliance with § 501(b) of the GLBA, § 216 of the federal Fair and Accurate Transactions Act, 15 U.S.C. § 1681w, will be deemed to be in compliance with the Maryland statute.
Any business that complies with the notification procedures imposed by its primary or functional federal or state regulator is deemed in compliance with the Maryland statute.
Notification to Regulator / Waiver
Attorney General must be notified of a security breach prior to giving required notification to affected individuals.
Notification to the Attorney General must include (i) number of affected Maryland residents; (ii) description of the breach, including when and how it occurred; (iii) remediation steps taken; and (iv) form of notice and sample of notice that will be sent to individuals.
A determination of no likelihood of harm:
Does not require notification to Attorney General.
A waiver of the statute is void and unenforceable.
Penalties
Violations constitute an unfair or deceptive trade practice under Title 13 of the Maryland Code.
Private Cause of Action / Enforcement
Private Cause of Action: Yes.
Appropriate penalties and damages may be assessed in an enforcement action brought by the attorney general.
Consumers may bring actions under Title 13 of the Maryland Code, the Unfair and Deceptive Trade Practices Act.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
|
Click here to review text of state statute (see Md. Code Com. Law, Title 14, §§ 14-3501 et seq.) |