Maryland Data Breach Notification Requirements

WHAT ENTITIES ARE SUBJECT TO DATA BREACH NOTIFICATION LAW? Any business entity that owns, licenses, or maintains computerized data of an individual residing in Maryland, whether or not the business is located in Maryland.

Includes non-profits.

Includes financial institutions organized, chartered, licensed, or otherwise authorized under the laws of this State, any other state, the United States, or any other country, and the parent or subsidiary of a financial institution. (However, see “COMPLIANCE WITH FEDERAL LAW, below.)

WHAT INFORMATION IS PROTECTED? Personal information, which includes:

• An individual's first name or first initial and last name in combination with any one or more of the following data elements:

  • A Social Security number, an Individual Taxpayer Identification Number, a passport number, or other identification number issued by the federal government;

  • A driver's license number or State identification card number;

  • An account number, a credit card number, or a debit card number, in combination with any required security code, access code, or password, that permits access to an individual's financial account;

  • Health information, including information about an individual's mental health;

  • A health insurance policy or certificate number or health insurance subscriber identification number, in combination with a unique identifier used by an insurer or an employer that is self-insured, that permits access to an individual's health information; or

  • Biometric data of an individual generated by automatic measurements of an individual's biological characteristics such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that can be used to uniquely authenticate the individual's identity when the individual accesses a system or account

  • NOTE: This section only applies if the name or the data elements are not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable.

• A user name or e-mail address in combination with a password or security question and answer that permits access to an individual's e-mail account (whether encrypted or not).

“Personal information” does NOT include:

• Publicly available information that is lawfully made available to the general public from federal, State, or local government records;

• Information that an individual has consented to have publicly disseminated or listed; or

• Information that is disseminated or listed in accordance with the federal Health Insurance Portability and Accountability Act.

WHAT IS A BREACH? The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the personal information maintained by a business

Can include ransomware

DOES NOT INCLUDE the good faith acquisition of personal information by an employee or agent of a business for the purposes of the business, provided that the personal information is not used or subject to further unauthorized disclosure

WHAT MUST A BUSINESS DO UPON DISCOVERY OF BREACH? Upon discovery of a breach, a business that owns or licenses personal information must conduct a good-faith, reasonable, and prompt investigation to determine the likelihood that personal information of the individual has been or will be misused as a result of the breach.

A business that maintains (but does not own or license) computerized personal information shall notify the owner or licensee of data breach if it is likely that the breach has resulted or will result in the misuse of personal information a Maryland resident.

DATA BREACH NOTIFICATION REQUIREMENTS: If investigation concludes that misuse of the individual's personal information has occurred or is reasonably likely to occur as a result of a breach, the business must notify the individual of the breach as soon as reasonably practicable after the business conducts the investigation but not later than 45 days after the business discovers or is notified of the data breach.

EXCEPTIONS: A business may delay notification:

If a law enforcement agency determines that the notification will impede a criminal investigation or jeopardize homeland or national security; or

To determine the scope of the breach of the security of a system, identify the individuals affected, or restore the integrity of the system.

If the data breach affects 1,000 or more individuals, the business must also promptly notify, each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis, as defined by 15 U.S.C. § 1681a(p), of the timing, distribution, and content of the notices.

WHEN MUST A BUSINESS NOTIFY CUSTOMERS OF A DATA BREACH? As soon as reasonably practicable, but not later than 45 days after the business discovers or is notified of the data breach.

NOTIFICATION METHODS: By mail or telephone. Email notice is permitted if the individual has expressly consented to receive electronic notice or if the business conducts its business primarily through Internet account transactions or the Internet.

Substitute notice permitted if the business demonstrates that the cost of providing notice would exceed $ 100,000 or that the affected class of individuals to be notified exceeds 175,000; or if the business does not have sufficient contact information to give actual notice.

WHAT MUST THE DATA BREACH NOTIFICATION INCLUDE?

• A description of the categories of information that were, or are reasonably believed to have been, acquired by an unauthorized person, including which of the elements of personal information were, or are reasonably believed to have been, acquired;

• Contact information for the business making the notification, including the business'S address, telephone number, and toll-free telephone number if one is maintained;

• The toll-free telephone numbers and addresses for the major consumer reporting agencies; and

• The toll-free telephone numbers, addresses, and Web site addresses for the Federal Trade Commission and the Office of the Attorney General, and

  • A statement that an individual can obtain information from these sources about steps to avoid identity theft.

In the case of a data breach involving personal information that permits access to an individual's e-mail account and no other personal information, a business may satisfy Maryland’s notification requirements by providing the notification in electronic or other form that directs the individual whose personal information has been breached promptly to:

• Change the individual's password and security question or answer, as applicable; or

• Take other steps appropriate to protect the e- mail account with the business and all other online accounts for which the individual uses the same user name or e-mail and password or security question or answer.

A business must provide notice of a breach of the security of a system to the Office of the Attorney General before notifying individuals

COMPLIANCE WITH FEDERAL LAW: A business that complies with the requirements for notification procedures, the protection or security of personal information, or the destruction of personal information under the rules, regulations, procedures, or guidelines established by the primary or functional federal or State regulator of the business shall be deemed to be in compliance.

This specifically includes the federal Health Insurance Portability and Accountability Act of 1996, § 501(b) of the federal Gramm-Leach-Bliley Act, 15 U.S.C. § 6801, § 216 of the federal Fair and Accurate Credit Transactions Act, 15 U.S.C. § 1681w, the federal Interagency Guidelines Establishing Information Security Standards, and the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, and any revisions, additions, or substitutions, shall be deemed to be in compliance with this subtitle.

SOURCE: MD Comm L Code § 14-3501 et seq. Effective as of January 2018.

Sean Griffin is an attorney and certified cybersecurity expert (CIPP-US) who advises clients on cybersecurity and litigates cybersecurity/privacy cases in Virginia, Maryland, and the District of Columbia. You can reach him via email at sgriffin@dykema.com or by phone at (202) 906-8703.