July 3, 2022

Volume XII, Number 184

Advertisement
Advertisement

July 01, 2022

Subscribe to Latest Legal News and Analysis

June 30, 2022

Subscribe to Latest Legal News and Analysis

Maryland Amends Its Personal Information Protection Act

On May 29, 2022, the Maryland legislature enacted House Bill 962, which amends Maryland’s Personal Information Protection Act (the “Act”). The amendments update and clarify various aspects of the Act, including, but not limited to, the timeframe for reporting a data breach affected individuals, and content requirements for providing notice to the Maryland Attorney General.

House Bill 962 shortens the number of days data owners and licensors, and their service providers, have to report data breaches to affected individuals. Once the amendments become effective, data owners and licensors will be required to notify affected individuals within 45 days of discovering or being notified of a breach, rather than within 45 days of concluding their investigation into the breach, as was required by the previous version of the Act. In addition, the timeframe for service providers to notify data owners and licensors of a breach has been shortened from 45 days to ten days. The timeframe for a data owner or licensor to notify the Maryland Attorney General has not changed; notice to the Attorney General still must be made in advance of notice to affected individuals.

Similarly, in breaches where notification is initially delayed because law enforcement “determines that the notification will impede a criminal investigation or jeopardize homeland or national security,” data owners and licensors, and their service providers, will no longer have 30 days to notify affected individuals after law enforcement determines notification is acceptable. Now, data owners and licensors must make their required notifications within the original 45 day period, or within seven days thereafter if the 45 days already have elapsed, while service providers have seven days to do so.

House Bill 962 also provides specific content requirements for notification to the Maryland Attorney General. Notifications must include, at a minimum: (1) the number of affected individuals residing in Maryland; (2) a description of the breach, including when and how it occurred; (3) any steps the business has taken or plans to take relating to the breach; and (4) the form of the notice that will be sent to affected Maryland residents and a sample of that notice.

Other changes to the Personal Information Protection Act include clarifications to the definition of “genetic information” and to the substitute notice requirements. The amended Personal Information Protection Act will take effect on October 1, 2022.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XII, Number 174
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement