Your Compliance Edge

HR News Alerts

Maryland Amends Personal Information Protection Act

Posted on May 17 2017 03:00 PM

Amended Law Effective January 1, 2018

Maryland has amended its Personal Information Protection Act, which (among other things) imposes certain employer investigation and notice requirements. Highlights of the amended law are presented below.

Definitions of 'Personal Information'
The amended law contains two different definitions of "personal information." First, "personal information" generally means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data elements are not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable:

  • A Social Security number, an individual taxpayer identification number, a passport number, or other identification number issued by the federal government;
  • A driver's license number or state identification card number;
  • An account number, a credit card number, or a debit card number—in combination with any required security code, access code, or password—that permits access to an individual's financial account;
  • Health information, including information about an individual's mental health;
  • A health insurance policy or certificate number or health insurance subscriber identification number, in combination with a unique identifier used by an insurer or an employer that is self-insured, that permits access to an individual's health information; or
  • Biometric data of an individual generated by automatic measurements of an individual's biological characteristics such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that can be used to uniquely authenticate the individual's identity when the individual accesses a system or account.

Alternatively, "personal information" generally means a user name or email address in combination with a password or security question and answer that permits access to an individual's email account.

Breach Investigation and Notification
A business that owns or licenses computerized data that includes personal information of an individual residing in Maryland, when it discovers or is notified of a breach of the security of a system, must conduct in good faith a reasonable and prompt investigation to determine the likelihood that the individual's personal information has been or will be misused as a result of the breach.

If, after the investigation is concluded, the business determines that the breach of the security of the system creates a likelihood that personal information has been or will be misused, the business must notify the individual of the breach. The required notification generally must be given as soon as reasonably practicable, but not later than 45 days after the business concludes the required investigation. However, if the required notification is delayed by law enforcement as provided under the law, different notice requirements may apply. Click here for more information (§ 14-3504(d)).

Note: Prior to giving the required notification described in the paragraph immediately above, a business must provide notice of a breach of the security of a system to the Maryland Attorney General (in compliance with certain provisions (§ 14-3504(d)) that may delay such notification).

Additional details and requirements are contained in the text of the amended law. The amended law is effective January 1, 2018.

To review other laws specific to Maryland, visit the State Laws section, click on Maryland, and choose your topic of interest from the left-hand navigation menu.