As data breaches affecting businesses around the world continue to dominate the headlines, it’s worth ensuring that your business is complying with the recently amended Maryland Personal Information Protection Act (“MPIPA”). This statute, which was amended effective January 1, 2018, requires that businesses “implement and maintain reasonable security procedures and practices” in order to prevent the unauthorized disclosure of employees’ “personal information.” The recent amendment to the MPIPA significantly broadened the definition of “personal information” to include not only Social Security numbers, driver’s license numbers, and financial account numbers, but also passport numbers, health insurance policy numbers, fingerprints/ retina scans or other biometric data, and any mental or physical health information (generally anything covered by HIPAA).
The MPIPA also requires that businesses notify employees (and customers) of data breaches “as soon as reasonably practicable, but not less than 45 days”. It also requires businesses “take reasonable steps to protect against unauthorized access to or use of the personal information” of employees when destroying an employee’s, or a former employee’s, records. Failure to comply with the MPIPA can result in criminal penalties, civil damages, and attorney’s fees.
In light of the recent amendment of MPIPA, employers should:
Ensure they have implemented “reasonable security procedures and practices.” It is worth noting that the MPIPA does not define “reasonable security procedures and practices.” Consequently, employers should implement those procedures and practices that are reasonable under all of the circumstances, which include but are not limited to: the types of records at issue, the resources of the business, the costs and benefits of available security protocols, and the available technology.
Ensure, when destroying records of current or former employees, “reasonable steps” are taken to protect against unauthorized access to employees’ personal information. The MPIPA provides that the reasonableness of the steps taken depends on: “the sensitivity of the records at issue, the nature and size of the business and its operations, the costs and benefits of different security methods, and the available technology.”
Ensure timely notification is given to employees or former employees whose personal information has been compromised. This requires notification no later than 45 days after knowledge of the breach.