What is Maryland’s Personal Protection Act?

Maryland’s PIPA (Personal Information Protection Act) was enacted in May 2022 to ensure that Maryland consumers are reasonably protected as identity theft establishes itself as a growing threat. The law requires consumers to be notified in the case of a breach of their personal information so they can take steps to protect themselves. 

The Maryland Personal Information Protection Act (PIPA) does not make the bar of comprehensive privacy laws. The most recent revisions, however, will bring it closer to the level of sweeping privacy laws enacted by the five states that lead the way in comprehensive privacy laws: California, Colorado, Connecticut, Utah, and Virginia. 

The new PIPA law (HB962) took effect on October 1, 2022. We’ll outline the key revisions below.

Maintaining Reasonable Security

Starting from Oct. 2022, entities that maintain personal information about residents of Maryland must maintain “reasonable security” practices that are proportional to the type of information and the nature and size of the business that holds the data. 

Notably, the new amendment updates the requirement of maintaining reasonable security safeguards for any business that maintains the information, even if it doesn’t own or license it. Third-party service providers are an example of maintainers.

Unlike the NY SHIELD Act, Maryland’s data protection act does not outline the specific security safeguards to implement. Instead, the bill uses the somewhat ambiguous word “reasonable” to describe the measures expected to protect personal data.

Personal Information

Maryland’s most recent PIPA law updated the definition of personal information. In the newest revision to the law, personal information includes  a person’s first and last name combined with any of the following data:

• Social security number
• Driver’s license ID number
• Credit card or debit card number that in combination with a required security code or password, would permit access to an individual’s financial account
• Individual taxpayer identification number
• Passport numbers and other federally issued ID numbers
• State ID card numbers
• Health information
• Health insurance policy number in combination with a unique identifier code that permits access to the health-related information
• Biometric data
• Username or email address in combination with a password or security question 
• Genetic information (more on that below.)

Genetic Information

Maryland was one of a select group of states that included genetic information in their listing of personal information categories in previous Maryland consumer protection acts. HB962 expands and specifies exactly which types of genetic information are subject to breach notification requirements.

The revised specification of genetic information broadly refers to any data that results from the analysis of a biological sample of the individual. It also includes the following information types:

• DNA
• RNA
• Genes
• Chromosomes
• Alleles
• Genomes
• Alterations or modifications to DNA or RNA
• Single nucleotide polymorphisms
• Uninterrupted data that results from the analysis of a biological sample from the individual or other sources
• Information extrapolated, derived, or inferred from the 10 information types listed above.

Substitute Notice

The act stipulates that notification should be communicated by substitute notice if the business lacks sufficient contact information to notify affected individuals. 

The bill requires substitute notice to include notification in major print or broadcast media in the areas where affected individuals reside.

Risk of Harm Threshold

The PIPA law describes a threshold for determining whether a breach would trigger notification requirements. After the discovery of a security breach, the targeted business must “conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information of the individual has been or will be misused as a result of the breach…Unless the business reasonably determines that the breach of the security of the system does not create a likelihood that personal information has been or will be misused, the owner or licensee of the computerized data shall notify the individual of the breach.” 

In other words, if the business determines there is no possibility that the personal information contained in a breach will be exploited, notification requirements are not activated. 

The risk of harm threshold is a familiar inclusion in other state legislation requiring data breach notification. It is also mentioned in some well-known privacy laws, including GDPR and HIPAA.  

Notification Timelines

The PIPA amendments of 2022 reduce the period for the notification of a data breach. Notification timeline instructions are divided into two categories:

1. Notification requirements for information owners or licensed parties
2. Notification requirements for entities that maintain personal information such as third-party service providers

Owners or Licensed Parties

Disclosure notification must be delivered by the information owners or licensed parties within 45 days after the discovery of a security breach. This is to replace a previous clause that the 45 days commences after the conclusion of the investigation of the incident. 

The disclosure requirements state that notification is required unless the business determines that the breach is not likely to exploit personal information.

Maintainers

Service providers that maintain personal information must provide notice to the owner of the information within 10 days after the discovery.

Investigation Delays

In the case where law enforcement delays the notification process because it “determines that the notification will impede a criminal investigation or jeopardize homeland or national security”, the owner of the personal information is required to provide notice of the breach within 7 days or the expiration of the original 45 day period, whichever occurs first.

Tighter notification timelines will help individuals mitigate the damage and likelihood of identity theft as a result of a data breach.

Notice to Attorney General

The new PIPA amendment includes some new specifics in the process of reporting to the attorney general of Maryland. The report must now include:

• The number of affected Maryland residents
• A description of the breach that describes how and when the breach occurred
• The remediation steps the business has taken or plans on taking regarding the breach
• A sample notification letter that is to be used to disclose details of the breach to impacted Maryland residents

Next Steps for Maryland Privacy Law

New trends likely will continue to prompt amendments to Maryland state data breach notification laws. Businesses should develop their incident response plans with flexibility in mind to ensure ease of compliance with constantly evolving breach notification requirements.

Contact Centraleyes with your questions about state privacy developments.

Centraleyes State Privacy Law Tracking

Centraleyes has you covered on the latest updates to state privacy policies. 

Check out our other articles on pertinent laws like California’s CPRA, Colorado’s CPA, Utah’s UCPA, and Virginia’s VCDPA.