Maryland State Flag

On April 30, 2019, Maryland governor Larry Hogan approved a series of amendments to the Maryland Personal Information Protection Act. The amendments, effective October 1, 2019, impact data breach obligations imposed on businesses that “maintain” computerized data containing personal information. “Personal information” under the Maryland privacy act includes a broad category of personal identifiers—such as an individual’s social security number, tax ID number, or biometric data—combined with his or her first and last name.

Under the existing law, any Maryland business that owns or licenses computerized data that includes personal information of an individual who resides in Maryland must undertake a prompt and reasonable investigation when it is notified or becomes aware of unauthorized access to such information. If the business determines that the data breach “creates a likelihood that personal information has been or will be misused,” it must provide notice of the unauthorized access to the individual. Subject to limited exceptions, the business must provide notice as soon as reasonably practicable, but no later than 45 days after the business concludes its investigation. The law also includes provisions governing the allocation of costs associated with obtaining necessary information, the manner of notification to affected individuals, and the use of information obtained during a data breach investigation.

The recent amendments expand the obligations of businesses that “maintain” computerized data that includes personal information. Businesses maintaining personal computerized data will now be required to perform a prompt and reasonable investigation to identify the risk of harm to the individuals associated with the compromised personal information. Notably, the amendments do not require these businesses to notify the individuals affected by the data breach. Instead, businesses maintaining personal computerized information are required only to notify the owner or licensee of the personal computerized information no later than 45 days after discovery of the breach. The new language expressly limits the duty to notify affected individuals to the “owner or licensee of the computerized data.”

Although relatively minor, the recent amendments to the privacy act impose new responsibilities on businesses that may not be prepared to conduct a prompt and reasonable investigation into a suspected data breach. The changes also serve as a reminder of the rapidly changing data privacy landscape (see our recent article addressing Maine’s data privacy restrictions) and the need for diligence in compliance efforts.

Author


Browse More Insights

Fingerprint Biometric Authentication Button. Digital Security Concept
Practice Group

Technology

Ogletree Deakins is uniquely situated to provide tech employers and users (the “TECHPLACE™”) with labor and employment advice, compliance counseling, and litigation services that embrace innovation and mitigate legal risk. Through our Technology Practice Group, we support clients in the exploration, invention, and/or implementation of new and evolving technologies to navigate the unique and emerging labor and employment issues present in the workplace.

Learn more
Modern dark data center, all objects in the scene are 3D
Practice Group

Cybersecurity and Privacy

The attorneys in the Cybersecurity and Privacy Practice Group at Ogletree Deakins understand that data now accumulates quickly and transmits easily. As the law adapts to technical advancements, we effectively advise our clients as they work to comply with new developments and best practices for protecting the privacy of the data that their businesses collect and retain.

Learn more

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now