As we have noted before in this space, states have begun going through the process of amending their data breach notification laws. California, for example, recently amended its data breach notification statute to expand the definition of personal information. Illinois did the same, and adjusted its safe harbor provision. And New York created first-of-its-kind financial sector cybersecurity regulations. Legislatures in other states — like Massachusetts — have also introduced legislation to amend their data breach laws.
This makes sense: many of these laws are now a decade or more old, and the complexion of data security has changed in various ways since the time these laws and regulations were first enacted– including what consumers expect will be handled as private information, the reality of overlapping (and sometimes competing) regulatory requirements, and the burdens entities bear (or reasonably should be made to bear) in the face of often criminal activity.
Maryland has now joined this effort, and its amended data breach notification law will take effect on January 1, 2018. Among the changes:
-
Expanding the definition of personal information to include passport and state ID numbers, medical information, biometric data, and email;
-
Replacing an open-ended timeframe for notification with a 45-day notification deadline; and
-
Alternative notice if the breach only compromises consumer email accounts.
While the multiplicity of competing and state and federal overlapping regulatory requirements can be deeply frustrating and expensive for organizations facing compliance questions relating to data security, the benefit of the 50-state framework is that states can more nimbly experiment with various approaches even as the face of security rapidly changes.
