As data breaches affecting businesses around the world continue to dominate the headlines, it’s worth ensuring that your business is complying with the recently amended Maryland Personal Information Protection Act (“MPIPA”). This statute, which was amended effective January 1, 2018, requires that businesses “implement and maintain reasonable security procedures and practices” in order to prevent the unauthorized disclosure of employees’ “personal information.” The recent amendment to the MPIPA significantly broadened the definition of “personal information” to include not only Social Security numbers, driver’s license numbers, and financial account numbers, but also passport numbers, health insurance policy numbers, fingerprints/ retina scans or other biometric data, and any mental or physical health information (generally anything covered by HIPAA).
The MPIPA also requires that businesses notify employees (and customers) of data breaches “as soon as reasonably practicable, but not less than 45 days”. It also requires businesses “take reasonable steps to protect against unauthorized access to or use of the personal information” of employees when destroying an employee’s, or a former employee’s, records. Failure to comply with the MPIPA can result in criminal penalties, civil damages, and attorney’s fees.
In light of the recent amendment of MPIPA, employers should: