April 9, 2020

April 08, 2020

Subscribe to Latest Legal News and Analysis

April 07, 2020

Subscribe to Latest Legal News and Analysis

April 06, 2020

Subscribe to Latest Legal News and Analysis

Maryland Adds Insurance Commissioner to Breach Notification Requirements

Effective October 1, 2019, organizations providing health insurance and related services must notify the Maryland Insurance Administration as part of its breach notification requirements.

In August 2019, the Maryland Insurance Administration issued Bulletin 19-14 informing insurers, nonprofit health plans, HMOs, managed care organizations, managed general agents and third party administrators of a new notice requirement for data breaches.

After an incident, once the regulated company conducts the investigation required by the state’s existing data breach law, the new rule requires that regulated entity to also send notice to the Maryland insurance commissioner if the breach of security “creates a likelihood that personal information has been or will be misused”. The notice must be sent to the commissioner at the same time as the notice submitted to the Maryland AG. The notification must include 1) a description of the security breach, 2) a copy of any consumer notifications, and 3) a copy of the notice sent to the Maryland AG. An online form can be used to submit the notice.

October looks to be a busy month for new breach notification obligations in Maryland. We previously reported on the other amendment happening next month.

Putting it into Practice: If your organization provides health insurance and related services, now is the time to update your nationwide breach notice plan to address this additional notification requirement. Maryland is not the only state to have requirements specific to insurance companies or to require notification to an insurance commissioner. Connecticut, Ohio, New Hampshire, and Washington do as well (among others).

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.


About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

Kari Rollins Intellectual Property Lawyer Sheppard

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums.

Ms. Rollins serves as a trusted advisor to her clients, bringing a focused, strategic approach to complex litigation and investigation matters alike. Her clients praise her ability to efficiently and effectively manage complex matters with multiple moving pieces, and to concisely and persuasively communicate the core issues of her clients’ cases to judges, regulators, and opposing counsel. These traits have enabled Ms. Rollins to successfully argue critical motions, procure dismissals, and achieve successful resolutions for her clients.