December 10, 2019

Maryland Again Amends Its Data Breach Notification Law

Jackson Lewis P.C.

+ Follow Contact

Send

Embed

In response to trends, heightened public awareness, and a string of large-scale data breaches, states continue to enhance their data breach notification laws. In 2017 Maryland amended its Personal Information Protection Act (PIPA) with expansion of the definition of personal information, modification of the definition of “breach of the security of the system”, establishing a 45-day timeframe for notification and expansion of the class of information subject to Maryland’s data destruction laws. Now, Maryland has again amended PIPA, with HB 1154 in effect from October 1, 2019, notably enhancing the requirements for a business once it becomes aware of a data security breach.

Under PIPA, prior to HB 1154, a business that owns or licenses personal information aware of a data security breach was required to conduct a reasonable, prompt and good faith investigation to determine the likelihood that personal information had been or will be misused as a result of the breach. The new amendment expands covered businesses to include all businesses that own, license or maintain the personal information of Maryland residents.

That said, if a business that maintains the personal information incurs a breach, it is still the obligation of the business that owns or licenses that information to notify effected residents of the breach. Moreover, if the business that incurs the breach is not the owner or licensee of the personal information, the business may not charge the owner or licensee a fee for providing information that the owner or licensee needs to make a notification.

In addition, a business that owns or licenses personal information cannot use information related to the breach for any purpose other than for:

Providing notification of the breach;
Protecting or securing personal information; or
Providing notification to national information security organizations created for information sharing and analysis of security threats, to alert and avert new or expanded breaches.

New trends likely will continue to prompt amendments to state data breach notifications laws. Businesses should develop their incident response plans with flexibility as a key component to ensure compliance with the most current breach notification requirements.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

Jackson Lewis P.C.

Contact + Follow

Joseph Lazzarotti

+ Follow

less

Published In:

Cybersecurity

+ Follow

Data Breach

+ Follow

Data Security

+ Follow

Personally Identifiable Information

+ Follow

PIPA

+ Follow

State and Local Government

+ Follow

State Data Breach Notification Statutes

+ Follow

Consumer Protection

+ Follow

Elections & Politics

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

less

Jackson Lewis P.C. on:

Maryland Again Amends Its Data Breach Notification Law

Latest Posts

Written by:

Published In:

Jackson Lewis P.C. on:

"My best business intelligence, in one easy email…"