August 2022: Maryland Amends Data Breach and Reasonable Security Requirements

25 Aug


Update Applicable to:
All employers maintain the personal information of residents in the state of Maryland.

What happened?
On May 29, 2022, Maryland Governor signed House Bill 962 (HB 962) into law, which amends the Maryland Personal Information Protection Act (PIPA) by changing certain aspects of PIPA relating to breach notification and maintaining reasonable security measures to protect personal information.

What are the details?
Effective October 1, 2022, employers will be required to provide:

  1. Reasonable Security: Beginning October 1, 2022, businesses that maintain the personal information of Maryland residents must implement and maintain “reasonable security” safeguards that are appropriate to the nature of the personal information maintained and the nature and size of the business and its operations. Previously the “reasonable security” requirements applied only to businesses that own or license such information, not those that maintain personal information. The bill does not specify the types of security safeguards that should be implemented and maintained, unlike other states’ reasonable security statutes (such as the NY SHIELD Act).
  1. Notice to Attorney General: Maryland expanded the content requirements for notifications to the Attorney General. Notifications must now include the number of affected Maryland individuals, a description of the security breach, inclusive of when and how the breach occurred, any remediation steps the company has or plans to take in response to the security breach, and a sample notification letter that was sent to individuals.
  1. Notification Timing: Businesses that maintain personal information on behalf of a data owner must notify the data owner of a security breach as soon as reasonably practicable but within 10 days of discovering or being notified of the security breach. Previously, businesses that maintained personal information had significantly more time to notify the data owner – up to 45 days. Further, for businesses that own or license personal information that has delayed notifying individuals due to a law enforcement investigation, the notification must be made as soon as reasonably practicable and within seven days after law enforcement determines that notification will not impact the investigation. Previously, businesses had 30 days. The narrower notification timelines may help individuals mitigate any potential impact from the security breach, such as identity theft.
  1. Definition of Personal Information: Maryland was already one of few states that explicitly included “genetic information” in the definition of “personal information,” but now, House Bill 962 expands and specifies what is considered genetic information subject to data breach notification requirements.  Genetic information is any data that results from analyzing a biological sample of the individual or equivalent information concerning genetic material. Genetic information includes DNA, RNA, genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms, and information extrapolated, derived, or inferred from the above-referenced information concerning genetic material.

For more information, please see the links below:

House Bill 962 (HB 962)

Article 1Article 2

What do employers need to do?
Employers should review the links provided above, maintain personal information on behalf of a data owner and notify the data owner of a security breach as soon as reasonably practicable, but within 10 days of discovering or being notified of the security breach.