15 Dec Maryland Legislative Update
The Maryland legislature recently amended the Maryland Personal Information Protection Act (the “Act”), effective January 1, 2018.
Maryland House Bill 974
The Act now protects both a customer’s personal information, as well as the personal information of an employee or former employee.
“Business” means a sole proprietorship, partnership, corporation, association, or any other business entity, whether or not organized to operate at a profit; it includes a financial institution organized, chartered, licensed or otherwise authorized under the laws of Maryland, any other state, the U.S., or any other country, and the parent or subsidiary of a financial institution.
“Encrypted” means the protection of data in electronic or optical form using an encryption technology that renders the data indecipherable without an associated cryptographic key necessary to enable decryption of the data.
“Health information” means any information created by an entity covered by the Federal Health Insurance Portability and Accountability Act of 1996 regarding an individual’s medical history, medical condition, or medical treatment or diagnosis.
“Personal information” means:
- An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data elements are not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable:
- Social security number, an individual taxpayer identification number, a passport number, or other identification number issued by the federal government;
- Driver’s license number or state identification card number;
- Account number, a credit card number, or a debit card number in combination with any required security code, access code, or password that permits access to an individual’s financial account;
- Health information, including information about an individual’s mental health;
- Health insurance policy or certificate number or health insurance subscriber identification number, in combination with a unique identifier used by an insurer or an employer that is self-insured, that permits access to an individual’s health information; or
- Biometric data of an individual, generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voice print, genetic print retina or iris image, or other unique biological characteristic, that can be used to uniquely authenticate the individual’s identity when the individual accesses a system or account; or
- A user name or email address in combination with a password or security question and answer that permits access to an individual’s email account.
When a business is destroying a customer’s, an employee’s, or a former employee’s records that contain personal information of that person, the business must take reasonable steps to protect against unauthorized access to or use of the personal information.
A business that uses a nonaffiliated third party as a service provider to perform services for the business and discloses personal information about an individual residing in Maryland under a written contract with the third party must require by contract that the third party implement and maintain reasonable security procedures and practices.
A business that owns or licenses computerized data that includes personal information of an individual residing in Maryland, when it discovers or is notified of a breach of the security of a system, must conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused as a result of the breach.
If, after the investigation is concluded, the business determines that the breach of the security of the system creates a likelihood that personal information has been or will be misused, the business must notify the individual of the breach. The notification must be given as soon as reasonably practicable, but not later than 45 days (previously 30 days) after the business concludes the investigation. If the business determines that notification is not required, the business must maintain records that reflect its determination for 3 years.
A business that maintains computerized data that includes personal information of an individual residing in Maryland that the business does not own or license, upon discovery or notification of a breach of the security of a system, must notify, as soon as practicable, the owner or licensee of the personal information of the breach of the security of the system. The notification must be given as soon as reasonably practicable, but not later than 45 days (previously 30 days) after the business discovers or is notified of the breach of the security of the system.
The notifications required above may be delayed:
- If a law enforcement agency determines that the notification will impede a criminal investigation or jeopardize homeland or national security; or
- To determine the scope of the breach of the security of a system, identify the individuals affected, or restore the integrity of the system.
If notification is delayed, it must be given as soon as reasonably practicable, but not later than 30 days after the law enforcement agency determines that it will not impede a criminal investigation and will not jeopardize homeland or national security.
In the case of a breach of the security of a system involving personal information that permits access to an individual’s email account and no other personal information, the business may comply with the notification requirement by providing the notification in electronic or other form that directs the individual to:
- Change the individual’s password and security question or answer, as applicable; or
- Take other steps appropriate to protect the email account with the business and all other online accounts for which the individual uses the same user name or email and password or security question or answer.
The Act sets forth the methods that are permissible for the business to provide the above notifications, including when the notice may or may not be given by electronic email.
If a business is required to give notice of a breach of the security of a system to 1,000 or more individuals, the business also must notify, without unreasonable delay, each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis, as defined under federal consumer credit reporting law, of the timing, distribution, and content of the notices.
A business, or an affiliate, that is subject to and in compliance with the federal Health Insurance Portability and Accountability Act of 1996 is deemed to be in compliance with the Act.