What are businesses required to do when personal information they have collected is breached? Most states have breach notification laws with varying degrees of security and notice requirements. With high profile data breaches continuing to top headlines, legislators are beginning to make these laws more strict.
Maryland’s legislature is no exception. On January 1, 2018, several amendments to the Maryland Personal Information Protection Act, (“MPIPA”) MD Code Ann., Com. Law §14-3501 et seq. will go into effect. Businesses collecting personal information should take note and be prepared.
Under the law as amended, the definition of “personal information” under §14-3501 has been greatly expanded. The current definition includes information such as first and last name, social security number, driver’s license numbers, and bank account numbers/ passwords. However, in light of amendments to the law, the definition of “personal information” will be more expansive and will also include the following:
health insurance policy numbers
fingerprints/ retina scans or other biometric data
any mental or physical health information (generally anything covered by HIPAA)
usernames/passwords that give access to a person’s e-mail address
In addition, changes have been made to allow notification of a data breach to be made within a set period of time. Section 14-3504(b) of MPIPA currently requires that a business conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information of the party has been or will be misused as a result of that breach. Should the business determine it is reasonably likely the information has been or will be misused, the law currently requires the business to notify the party “as soon as reasonably practicable.” The law, as amended, will require a business to notify the party owning the data no later than forty-five (45) days after the conclusion of any investigation conducted by the business in which it determined the breach has created a likelihood that the personal information has been or will be misused. Although not required in MPIPA, businesses should also be sure to provide prompt notice of any data breach to their insurance carrier.
Also, in light of the addition of usernames/passwords giving access to a person’s e-mail address to what is considered personal information under MPIPA, changes have been made under MPIPA to allow businesses to provide alternative notice in certain circumstances. As the law currently stands, §14-3504(e) generally requires that notice of a data breach be given by written notice sent to the most recent address on record, by telephone, or by e-mail if the business has expressly consented or primarily conducts business through the internet. However, under §14-3504(i) as amended, in the event of a data breach involving only personal information regarding a person’s e-mail address/password, a business may comply with MPIPA by providing notification in electronic or other form that directs the party whose personal information has been breached promptly to change their usernames, passwords, or security questions or take other appropriate steps to protect the e-mail account. It should be noted that, generally, such notification cannot be given to the party by sending notification by e-mail to the e-mail account affected by the breach. That said, however, such notification “may be given by a clear and conspicuous notice delivered to the party online while the party is connected to the affected e-mail account from an internet protocol address or online location from which the business knows the individual customarily accesses the account.”
Lastly, changes will occur to §14-3502 of MPIPA. This section currently governs the destruction of records and currently requires that when a business destroys a customer’s records that contain covered personal information, it must take reasonable steps to protect against unauthorized access or use of that information by others. The entity must take into account: (1) the sensitivity of the records, (2) the nature and size of the business and operations, (3) the costs and benefits of different destruction methods, and (4) available technology. Under the law, as amended, businesses will be required to also take reasonable care to protect an employee’s or former employee’s personal information. Importantly, this amendment expands the scope of this section outside the realm of consumer protection alone to include protection of employees.
Data breach security and notification laws in Maryland and throughout the country are evolving and will continue to do so. It should be noted that the National Association of Insurance Commissioners’ (NAIC) recent passage of the Insurance Data Security Model Law will provide many states with guidance on specific security measure requirements. Accordingly, it is of paramount importance that businesses keep abreast of compliance and notification requirements in this area.