On April 30, 2019, Maryland governor Larry Hogan approved a series of amendments to the Maryland Personal Information Protection Act. The amendments, effective October 1, 2019, impact data breach obligations imposed on businesses that “maintain” computerized data containing personal information. “Personal information” under the Maryland privacy act includes a broad category of personal identifiers—such as an individual’s social security number, tax ID number, or biometric data—combined with his or her first and last name.
Under the existing law, any Maryland business that owns or licenses computerized data that includes personal information of an individual who resides in Maryland must undertake a prompt and reasonable investigation when it is notified or becomes aware of unauthorized access to such information. If the business determines that the data breach “creates a likelihood that personal information has been or will be misused,” it must provide notice of the unauthorized access to the individual. Subject to limited exceptions, the business must provide notice as soon as reasonably practicable, but no later than 45 days after the business concludes its investigation. The law also includes provisions governing the allocation of costs associated with obtaining necessary information, the manner of notification to affected individuals, and the use of information obtained during a data breach investigation.
The recent amendments expand the obligations of businesses that “maintain” computerized data that includes personal information. Businesses maintaining personal computerized data will now be required to perform a prompt and reasonable investigation to identify the risk of harm to the individuals associated with the compromised personal information. Notably, the amendments do not require these businesses to notify the individuals affected by the data breach. Instead, businesses maintaining personal computerized information are required only to notify the owner or licensee of the personal computerized information no later than 45 days after discovery of the breach. The new language expressly limits the duty to notify affected individuals to the “owner or licensee of the computerized data.”
Although relatively minor, the recent amendments to the privacy act impose new responsibilities on businesses that may not be prepared to conduct a prompt and reasonable investigation into a suspected data breach. The changes also serve as a reminder of the rapidly changing data privacy landscape (see our recent article addressing Maine’s data privacy restrictions) and the need for diligence in compliance efforts.