Security Breach Notification Law in the State of Maryland
Md. Code Com. Law §§ 14-3501 et seq., also known as the Maryland Personal Information Protection Act, is a security breach notification and personal privacy law that was passed in the U.S. state of Maryland in 2008. Under the law, businesses and organizations that operate within the state of Maryland must follow a strict protocol as it pertains to security breach notifications, as well as the destruction of personal information related to residents of the state. With this being said, the Maryland Personal Information Protection Act represents the foremost means by which the personal privacy of residents within the state is legally protected.
What are the requirements under the Act as it relates to the destruction of personal data?
Under the Maryland Personal Information Protection Act, businesses within the state are responsible for taking reasonable steps to prevent unauthorized disclosure when destroying personal information pertaining to residents of the state. More specifically, “businesses must maintain reasonable security procedures and practices based on a risk analysis considering the business and the information at issue. If a business uses a non-affiliated third party as a service provider and discloses personal information of Maryland residents under a written contract, then the business must require the third party to implement and maintain reasonable security procedures appropriate to the personal information and reasonably designed to protect from unauthorized access, modification, disclosure, or destruction.”
What are the security breach notification requirements under the Act?
Under the Maryland Personal Information Protection Act, businesses within the state are required to provide notification to all affected parties and individuals should a data breach occur. These notifications must be provided to Maryland residents “as soon as reasonably practicable”, but no later than 45 days after the date of the discovery of the breach. These notifications must provide affected individuals with various forms of information, including the types of personal information that were compromised during the breach, as well as any steps that affected consumers can take to protect credit and identities, among other relevant information. Furthermore, data breaches that affect more than 1,000 residents within Maryland must also be reported to the major credit bureaus around the country.
What personal information is protected under the Maryland Personal Information Protection Act?
Under the Maryland Personal Information Protection Act, the following categories are legally protected in the event that said information is compromised as a result of a security breach, in combination with a Maryland resident’s first and last name, or first initial and last name, in instances where these data elements have not been rendered unreadable or unusable through the means of encryption, or technological means such as redaction:
- Social security numbers.
- Drivers license numbers.
- Financial account numbers, including credit and debit card numbers, as well as any access codes or passwords that could be used to permit entry to an individual’s financial account.
- Individual Taxpayer ID numbers and state identification numbers.
- Passport numbers.
- Health information, insurance, HIPAA, and medical history data.
- Biometric identifiers such as fingerprints, voiceprints, and retina images.
- User account information, as well as any applicable security questions or answers.
What are the penalties for violating the Maryland Personal Information Protection Act?
In terms of penalties in relation to non-compliance with the law, the various provisions set forth in the Maryland Personal Information Protection Act are enforceable by the Maryland attorney general. To this point, the Maryland attorney general has the authority to impose numerous sanctions and penalties against businesses and organizations within the state that are found to be in violation of the law. Such punishments include:
- A cease and desist order.
- Civil penalties of up to $1,000 for the first offense.
- Additional civil penalties of up to $5,000 for further violations.
- Private right of action to recover damages, injuries, or losses.
As the state of Maryland continues to deliberate over the passing of a comprehensive data privacy law, legislation such as the Maryland Personal Information Protection Act ensures that residents of the state are able to enjoy some modicum of data protection and personal privacy. Through the law, residents of the state can take a number of measures and legal actions should their personal data be compromised as a result of a data breach, or a business fails to destroy their personal information in a manner that would prevent unauthorized disclosure. As such, any further developments that arise as it concerns privacy legislation will only build upon the level of protection that residents of the state currently enjoy.