October 14, 2019

October 11, 2019

Subscribe to Latest Legal News and Analysis

Maryland Privacy Act Amendments Impact Businesses That Maintain Computerized Personal Information

On April 30, 2019, Maryland governor Larry Hogan approved a series of amendments to the Maryland Personal Information Protection Act. The amendments, effective October 1, 2019, impact data breach obligations imposed on businesses that “maintain” computerized data containing personal information. “Personal information” under the Maryland privacy act includes a broad category of personal identifiers—such as an individual’s social security number, tax ID number, or biometric data—combined with his or her first and last name.

Under the existing law, any Maryland business that owns or licenses computerized data that includes personal information of an individual who resides in Maryland must undertake a prompt and reasonable investigation when it is notified or becomes aware of unauthorized access to such information. If the business determines that the data breach “creates a likelihood that personal information has been or will be misused,” it must provide notice of the unauthorized access to the individual. Subject to limited exceptions, the business must provide notice as soon as reasonably practicable, but no later than 45 days after the business concludes its investigation. The law also includes provisions governing the allocation of costs associated with obtaining necessary information, the manner of notification to affected individuals, and the use of information obtained during a data breach investigation.

The recent amendments expand the obligations of businesses that “maintain” computerized data that includes personal information. Businesses maintaining personal computerized data will now be required to perform a prompt and reasonable investigation to identify the risk of harm to the individuals associated with the compromised personal information. Notably, the amendments do not require these businesses to notify the individuals affected by the data breach. Instead, businesses maintaining personal computerized information are required only to notify the owner or licensee of the personal computerized information no later than 45 days after discovery of the breach. The new language expressly limits the duty to notify affected individuals to the “owner or licensee of the computerized data.”

Although relatively minor, the recent amendments to the privacy act impose new responsibilities on businesses that may not be prepared to conduct a prompt and reasonable investigation into a suspected data breach. The changes also serve as a reminder of the rapidly changing data privacy landscape (see our recent article addressing Maine’s data privacy restrictions) and the need for diligence in compliance efforts.

© 2019, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Scott A. Siegner Associate Ogletree Richmond Employment Law, Litigation, discrimination, wrongful discharge, harassment, and wage and hour violations
Associate

Scott Siegner is an attorney in the Richmond office of Ogletree Deakins. Scott’s practice includes employment litigation and counseling, with a focus on litigating claims of employment discrimination, wrongful discharge, harassment, and wage and hour violations in both state and federal court.  Scott has successfully represented clients in multi-day jury trials, state grievance hearings, agency investigations, mediations, and arbitrations.

Prior to joining Ogletree Deakins, Scott worked as a litigation associate for a nationwide firm where he gained experience in medical malpractice...

18046632342