On January 1, 2018, amendments to the Maryland Personal Information Protection Act (Md. Code Com. Law § 14-3501 et seq.) take effect. (House Bill 974) The Act applies to Maryland businesses. It was originally enacted in 2008 to help protect consumers’ personal information from identity thieves. If your business maintains records that include personal information regarding customers, clients, former employees or current employees, read on to familiarize yourself with these new amendments.

Here’s a brief overview of the amendments.

“Personal Information”

The amendments expand the definition of “personal information.”

The current statute (Md. Code Com. Law § 14-3501) defines “personal information” to include a person’s first name or first initial and last name combined with any of the following:

  • Social Security number
  • Driver’s license number
  • Financial account number, including a credit or debit card number that, in combination with any required security code, access code, or password, would permit access to an individual’s financial account; or
  • Individual taxpayer identification number

The amendments expand this list to include:

  • Passport numbers and other identification numbers issued by the federal government
  • State identification card numbers
  • Health information (defined to include any information created by an entity covered by HIPAA regarding an individual’s medical history, condition, treatment, or diagnosis, including information about an individual’s mental health)
  • A health insurance policy, certificate number, or health insurance subscriber identification number, in combination with a unique identifier that permits access to an individual’s health information
  • Biometric data, such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic that can be used to uniquely authenticate a person’s identity upon accessing a system or account
  • A username or email address in combination with a password or security question and answer that permits access to an individual’s email account

Timing of notification

The amendments require that notification be sent to individuals whose data was taken within forty-five (45) days after the conclusion of an investigation of the breach. There are a few exceptions to this deadline, but it generally applies.

Query whether the Maryland Legislature should have shortened this time period, given the response to Equifax’s delay in conveying information about its own data breach.

Method of notification

The law already requires that notification reach victims of a data breach via certain pathways and in certain forms. The amendments allow a new form of notification when the data breach only enables access to an individual’s email account.

If the breach enables access to email accounts only, the business, as an alternative to the traditional forms of notification, may

  • Notify the individuals effected through an electronic or other form; and
  • Suggest that these individuals promptly
    • change their password and security question or answer; or
    • take other steps appropriate to protect the email account with the business and all other online accounts for which the individual uses the same user name or email and password or security question or answer

Notification of the breach should only be sent to the email address that has been affected by the breach if (at the time the notification is being sent) the business can tell that the individual is connected to that email account from an internet protocol address or online location from which the business knows that individual customarily accesses the account—otherwise, notification would need go through the U.S. mail or to an alternative email address the business may have for that individual.

Exception for HIPAA-covered entities

If your business is subject to and in compliance with HIPAA, it is deemed to be in compliance with the new law.

Destruction of Records

The amendments also expand §14-3502—the destruction of records provision. The current law addresses only customer records that contain personal information. The new version adds records related to current and former employees.

Basically, if a business disposes of records that contain personal information about clients, customers, or current or former employees, it must take reasonable steps to avoid unauthorized access to or use of that information. There is very little guidance provided in this section—leaving it pretty much up to each business to determine a reasonable way to dispose of the information in light of its sensitivity, the size and nature of the business, the cost of the various destruction methods, and the technology available to the business.

If you have questions related to the Maryland Personal Information Protection Act, Astrachan Gunst Thomas can help. Please contact Elizabeth Harlan at 410-783-3528 or eharlan@agtlawyers.com.