July 7, 2022

Volume XII, Number 188

Advertisement
Advertisement

July 06, 2022

Subscribe to Latest Legal News and Analysis

July 05, 2022

Subscribe to Latest Legal News and Analysis

Maryland Amends Data Security and Breach Notice Obligations

Maryland recently passed two companion bills amending the state’s Personal Information Protection Act. The bills modify the data breach notification requirements and scope of businesses subject to the data security requirements. The key changes are summarized below, and will go into effect October 1 of this year:

  1. Expanded scope of data security requirements: The requirement to implement and maintain “reasonable” security measures will also apply to businesses that maintain personal information of Maryland residents (and not just those who own or license such information).

  2. Expanded definition of personal information: The definition of genetic information has been revised and expanded. This change follows a similar update California made to its breach notification law.

  3. Additional notice requirements to the Attorney General: Additional information must now be provided in any notice to the Attorney General. This includes the number of affected Maryland individuals and a description of the breach, including when and how it occurred. It also includes steps the company has taken or plans to take relating to the security of the system, and a sample notice sent to affected individuals.

  4. Impacts to Timing Requirements: Businesses that maintain personal data must notify the owner of the data of a breach as soon as practicable, but within 10 (formerly 45) days of discovering or being notified of the breach. While in some cases, companies maintaining information may have shorter notification obligations by contract, this is a fairly aggressive statutorily imposed timing requirement. For businesses owning or licensing personal information whose notification is delayed because of circumstances surrounding a law enforcement investigation, notification must be made as soon as reasonably practicable, but with seven (previously 30) days after the law enforcement agency determines that notification will not impede an investigation. This is if the original 45-day period has lapsed or by the end of the original 45-day period.

Putting it Into Practice: Beginning October 1, 2022 companies who suffer a breach impacting Maryland residents will want to keep in mind these changes. Namely, the expanded definition of personal information, shortened notification timelines, and content requirements for regulator notification.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 173
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Kari Rollins Intellectual Property Lawyer Sheppard
Partner

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....

212.634.3077
Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Advertisement
Advertisement
Advertisement