Search By Practice Area
In May 2014, eBay announced that hackers had accessed its company network using the credentials of three corporate employees for 229 days, during which they exposed the names, addresses, birth dates, and encrypted passwords of all 145 million users of the website. In 2015, the United States Office of Personnel Management discovered that it had been targeted by two cyberattacks, during which the background investigation records of current, former, and prospective Federal employees and contractors were compromised. The breach resulted in the theft of over 20 million individuals’ names, birth dates, home addresses, social security numbers, and approximately five million fingerprints. In July 2017, Equifax announced that a data breach had exposed the personal information of 143 million consumers, including social security numbers, birth dates, addresses, and even some drivers’ license numbers.
While these data breaches are well known for their widescale size and impact, there are thousands of other breaches occurring daily. According to the publication, The Breach Level Index, approximately 9,198,580,293 data records have been lost or stolen since 2013 with an estimated 216,295 records lost or stolen every hour. Of these breaches, only 4% were considered “secure,” meaning that the records were encrypted and therefore rendered useless to potential possessors. Data breaches can occur internally, either intentionally or accidentally, or externally. Any breach can potentially affect consumer and/or employee data. The question for businesses is what happens next and what responsibilities are triggered when a breach occurs.
Maryland’s Personal Information Protection Act
Maryland’s Personal Information Protection Act (PIPA) provides statutory definitions and requirements for businesses (which includes any type of business entity, including non-profits) facing a data breach. PIPA defines a breach and sets forth requirements once a breach has occurred. PIPA has been amended, with the amendments expanding the scope of the statute becoming effective on January 1, 2018.
What is a Data Breach?
For PIPA to apply, a data breach must have occurred. PIPA defines a data breach as “the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the personal information maintained by a business.” However, a breach does not include the good faith acquisition of personal information by an employee or agent of a business for business purposes so long as the information has not and will not be subject to unauthorized disclosure.
Personal information includes an individual’s first and last name or first initial and last name, combined with any of the following: (1) social security number; (2) driver’s license number; (3) financial account number, including a credit or debit card number; or (4) Individual Taxpayer Identification Number. However, beginning January 1, 2018, the following elements will be added to this list: (1) passport number; (2) any other state or federal identification number; (3) health information, including anything covered under HIPAA; (4) health insurance policy, certificate number, or subscriber identification number combined with a unique identifier that allows access to the information; (5) any biometric data including fingerprints, voice print, or retina image that can be used to authenticate an individual’s identity in order to access a system or account; and (6) a user name or e-mail address in combination with a password or security question that can be used to access an account. These elements only constitute personal information under PIPA when they are not encrypted, redacted, or otherwise protected in a way that renders the information unreadable or unusable. Under the amendments, the scope of potential breaches will be widely expanded.
What is Required if a Data Breach Occurs?
Once a business has information to suggest that a data breach may have occurred, it must then determine whether notice requirements are triggered. The notice requirements depend on whether a business owns or licenses the data, or simply maintains the data. These qualifications can be tricky. For instance, a business may believe that it merely maintains employees’ or customers’ personal information in its files, but not as the owner of the data. However, under PIPA, a business is considered to own or license data consisting of customer or employee personal information, even when the information is only kept as a matter of record. In contrast, if a business hires another entity to run its website, PIPA would consider the other entity as one that maintains the personal information owned or licensed by the business that that hired it. This distinction is important because it drives which notice requirements apply in the event of a breach.
The notice requirements for a business owning or licensing data are stringent. When such a business discovers or is notified of a breach, PIPA mandates that the business conduct an investigation to determine whether there is a likelihood that the personal information will be misused. If the investigation leads the business to believe that the information has been or will be misused, then the business must provide notice. If a business does not believe that misuse is likely, then no notice is required, but the business nonetheless is required to maintain all records reflecting the basis for that determination for three years. In contrast, the requirements for a business that maintains personal information is less stringent. Under PIPA, a company that maintains personal information is required to notify the owner or licensee if it is likely that the breach has resulted or will result in the misuse of personal information of an individual residing in the State.
Once the notice requirement is triggered, a business that owns or licenses personal information is then required to notify the Office of the Attorney General of the data breach before notifying affected individuals. After the Attorney General is notified, then the business has a second and very specific notification that must be delivered to all individuals whose personal information was the subject of the breach. This notice must contain: (1) a description of the compromised information, (2) contact information of the business, (3) contact information for the major consumer reporting agencies, and (4) contact information for the Federal Trade Commission and the Office of the Attorney General, as well as a statement that individuals may obtain more information from these two offices about steps to take to avoid identity theft. Notice can be given via e-mail, telephone, or by written notice. PIPA currently requires notice to be given “as soon as reasonably practicable,” although effective January 1, 2018, businesses will be required to provide notice by no later than 45 days after the investigation has concluded.
Notably, PIPA (currently and under the 2018 amendment) fails to instruct businesses with specificity regarding the security measures to implement to avoid a data breach. Businesses are required to “implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information owned or licensed and the nature and size of the business and its operations.” Regardless of the security procedures a business implements, data breaches can still occur, but in today’s business environment, it is essential that businesses establish IT practices to protect data and respond quickly when and if a breach occurs. Prior to a breach, Maryland businesses should be familiar with PIPA’s requirements to comply with the investigatory and notice requirements.
Paul M. Finamore is a Partner in the Litigation and Employment Law Group at Niles, Barton & Wilmer, LLP. He regularly counsels employers on employment issues, workplace policies, and compliance with federal, state, and local employment laws.
Bethany P. Neeb is an associate attorney in the Litigation Department where she focuses her practice in civil litigation, including general commercial litigation, insurance defense, and employment law matters.
see all Employment Law articles »
The Maryland Court of Special Appeals observed in Dolan v. Kemper Independence Ins. Co.…read more »
Financial advisors can get clues about regulators’ top concerns by looking at the SEC’s…read more »
Effective January 1, 2018, the federal estate tax underwent a massive overhaul with the Tax Cuts…read more »
The Maryland General Assembly voted to override Governor Hogan’s veto of the sick and safe…read more »
Although recent data breaches involving large corporations such as Equifax, eBay, Target and Yahoo…read more »