Maryland Employers Required to Protect Employee’s Personal Information

Pessin Katz Law, P.A.

Pessin Katz Law, P.A.

As data breaches affecting businesses around the world continue to dominate the headlines, it’s worth ensuring that your business is complying with the recently amended Maryland Personal Information Protection Act (“MPIPA”).  This statute, which was amended effective January 1, 2018, requires that businesses “implement and maintain reasonable security procedures and practices” in order to prevent the unauthorized disclosure of employees’ “personal information.”  The recent amendment to the MPIPA significantly broadened the definition of “personal information” to include not only Social Security numbers, driver’s license numbers, and financial account numbers, but also passport numbers, health insurance policy numbers, fingerprints/ retina scans or other biometric data, and any mental or physical health information (generally anything covered by HIPAA).

The MPIPA also requires that businesses notify employees (and customers) of data breaches “as soon as reasonably practicable, but not less than 45 days”.  It also requires businesses “take reasonable steps to protect against unauthorized access to or use of the personal information” of employees when destroying an employee’s, or a former employee’s, records.  Failure to comply with the MPIPA can result in criminal penalties, civil damages, and attorney’s fees.

In light of the recent amendment of MPIPA, employers should:

  • Ensure they have implemented “reasonable security procedures and practices.”  It is worth noting that the MPIPA does not define “reasonable security procedures and practices.”  Consequently, employers should implement those procedures and practices that are reasonable under all of the circumstances, which include but are not limited to: the types of records at issue, the resources of the business, the costs and benefits of available security protocols, and the available technology.
  • Ensure, when destroying records of current or former employees, “reasonable steps” are taken to protect against unauthorized access to employees’ personal information.  The MPIPA provides that the reasonableness of the steps taken depends on:  “the sensitivity of the records at issue, the nature and size of the business and its operations, the costs and benefits of different security methods, and the available technology.”
  • Ensure timely notification is given to employees or former employees whose personal information has been compromised.  This requires notification no later than 45 days after knowledge of the breach.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pessin Katz Law, P.A. | Attorney Advertising

Written by:

Pessin Katz Law, P.A.

Pessin Katz Law, P.A. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.