Update Applicable to:
All employers maintain the personal information of residents in the state of Maryland.

What happened?
On May 29, 2022, Maryland Governor signed House Bill 962 (HB 962) into law, which amends the Maryland Personal Information Protection Act (PIPA) by changing certain aspects of PIPA relating to breach notification and maintaining reasonable security measures to protect personal information.

What are the details?
Effective October 1, 2022, employers will be required to provide:

1. Reasonable Security: Beginning October 1, 2022, businesses that maintain the personal information of Maryland residents must implement and maintain “reasonable security” safeguards that are appropriate to the nature of the personal information maintained and the nature and size of the business and its operations. Previously the “reasonable security” requirements applied only to businesses that own or license such information, not those that maintain personal information. The bill does not specify the types of security safeguards that should be implemented and maintained, unlike other states’ reasonable security statutes (such as the NY SHIELD Act).

2. Notice to Attorney General: Maryland expanded the content requirements for notifications to the Attorney General. Notifications must now include the number of affected Maryland individuals, a description of the security breach, inclusive of when and how the breach occurred, any remediation steps the company has or plans to take in response to the security breach, and a sample notification letter that was sent to individuals.

3. Notification Timing: Businesses that maintain personal information on behalf of a data owner must notify the data owner of a security breach as soon as reasonably practicable but within 10 days of discovering or being notified of the security breach. Previously, businesses that maintained personal information had significantly more time to notify the data owner – up to 45 days. Further, for businesses that own or license personal information that has delayed notifying individuals due to a law enforcement investigation, the notification must be made as soon as reasonably practicable and within seven days after law enforcement determines that notification will not impact the investigation. Previously, businesses had 30 days. The narrower notification timelines may help individuals mitigate any potential impact from the security breach, such as identity theft.

4. Definition of Personal Information: Maryland was already one of few states that explicitly included “genetic information” in the definition of “personal information,” but now, House Bill 962 expands and specifies what is considered genetic information subject to data breach notification requirements.  Genetic information is any data that results from analyzing a biological sample of the individual or equivalent information concerning genetic material. Genetic information includes DNA, RNA, genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms, and information extrapolated, derived, or inferred from the above-referenced information concerning genetic material.
   

For more information, please see the links below:

House Bill 962 (HB 962)

Article 1 – Article 2

What do employers need to do?
Employers should review the links provided above, maintain personal information on behalf of a data owner and notify the data owner of a security breach as soon as reasonably practicable, but within 10 days of discovering or being notified of the security breach.

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.