Update Applicable to:
All employers that retain records of personal information in the state of Maryland.
On May 29, 2022, the Maryland Legislature enacted a House Bill (HB 962), which amends Maryland’s Personal Information Protection Act (the Act) by modifying the data breach notification requirements and scope of businesses subject to the data security requirements.
What are the details?
Effective October 1, 2022, the key changes summarized below will go into effect:
- Expanded scope of data security requirements: The requirement to implement and maintain “reasonable” security measures will also apply to businesses that maintain the personal information of Maryland residents (and not just those who own or license such information).
- Expanded definition of personal information: The definition of genetic information has been revised and expanded. This change follows a similar update California made to its breach notification law.
- Additional notice requirements to the Attorney General: Additional information must now be provided in any notice to the Attorney General. This includes the number of affected Maryland individuals and a description of the breach, including when and how it occurred. It also includes steps the company has taken or plans to take relating to the security of the system and a sample notice sent to affected individuals.
- Impacts on timing requirements: Businesses that maintain personal data must notify the owner of the data of a breach as soon as practicable but within 10 (formerly 45) days of discovering or being notified of the breach. While companies maintaining information may have shorter notification obligations by contract in some cases, this is a fairly aggressive statutorily imposed timing requirement.
For businesses owning or licensing personal information whose notification is delayed because of circumstances surrounding a law enforcement investigation, the notification must be made as soon as reasonably practicable, but within seven (previously 30) days after the law enforcement agency determines that notification will not impede an investigation. This is if the original 45-day period has lapsed or by the end of the original 45-day period.
For more information, please see the links below:
What do employers need to do?
Employers should review the links provided above and adjust policies relating to breached data to comply with the law.
Need help understanding how changes to employment laws will affect your business?
Learn more about how Vensure's Maryland PEO services can help you navigate complex employment laws and keep your business compliant.
This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.