Close

Articles

Our lawyers are thinkers as well as doers—and have published numerous informative and insightful articles on topics related to their respective practices and our clients’ industries. Read what our people have to say about what’s important to you.

Articles

Reported Data Breaches Involving Maryland Residents on the Rise

Data breaches continue to occur on a spectrum of small to significant scale that can affect businesses of all sizes. In January alone, the Maryland Attorney General’s “Maryland Information Security Breach Notices” noted ninety-four (94) data breaches involved Maryland residents.[1]

Out of the reported data breaches, personal information from 48,225 Maryland residents was potentially accessed and misused. 70% of the personal information obtained occurred through unauthorized access and inadvertent disclosures.[2]

Personal Information Protection Act (PIPA)

Under Maryland’s Personal Information Protection Act (“PIPA”), defines  personal information as an individual’s first and last name in combination with:

  • A Social Security number, an Individual Taxpayer Identification number, a passport number, or other identification number issued by the federal government;
  • A driver's license number or state identification card number;
  • An account number, a credit card number, or a debit card number, in combination with any required security code, access code, or password, that permits access to an individual's financial account;
  • Health information, including information about an individual's mental health;
  • A health insurance policy or certificate number or health insurance subscriber identification number, in combination with a unique identifier used by an insurer or an employer that is self-insured, that permits access to an individual's health information; or
  • Biometric data of an individual generated by automatic measurements of an individual's biological characteristics such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that can be used to uniquely authenticate the individual's identity when the individual accesses a system or account.[3]

P.A.R.© - Prepare. Adapt. Respond.

Prepare

Spending the time and resources to prepare your company for a data breach or unauthorized access to information is the best and only way to mitigate the financial, reputational, and legal consequences of a data breach.

Adapt

Companies need to take reasonable security measures to protect and safeguard the personal information of Maryland residents.[4] Further, companies must require third-party providers to implement and maintain reasonable security practices and procedures.[5]

Respond

Maryland defines a data breach as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the personal information maintained by a business.”[6] When a breach occurs, companies must take the appropriate steps to ensure compliance with state, federal, and international law.

Regarding Maryland law, first, the company must investigate the data breach. Second, if the company determines that the personal information obtained has or could be misused, within a reasonable time, but no longer than forty-five (45) days, the company must notify the Office of the Attorney General of the data breach before notifying the affected individuals. [7] Third, after notifying the Office of the Attorney General, the company must follow a specific and detailed process to notify affected individuals.[8] Finally, the company must maintain records that reflect its determination for three (3) years[9] after the investigation concludes.

If a company has personal information of individuals of other states or countries, the company must be cognizant of the necessary steps to take to comply with specific data protection and privacy laws.

Spencer P. Pollock, Esq., CIPP/US is an attorney at Niles, Barton & Wilmer, LLP, concentrating his practice in data security and privacy law, civil litigation, and insurance law. He is a Certified Information Privacy Professional (CIPP/US) who counsels and represents companies in navigating international, federal, and state privacy and data governance laws. Please contact our Data Security and Privacy group for more information.

[1] http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/breachnotices.aspx
[2] Id.
[3] Maryland Code, Commercial Law § 14-3501 to 14-3508.
[4] Maryland Code, Commercial Law § 14-3503(a).
[5] Maryland Code, Commercial Law § 14-3503(b).
[6] Maryland Code, Commercial Law § 14-3504(a).
[7] When the data breach involves a Maryland resident(s).
[8] Exceptions to the notice requirement apply under certain circumstances.
[9] Maryland Code, Commercial Law § 14-3504(b)(3).

see all Business and Corporate Law articles »
see all Commercial Litigation articles »

Past Articles

Reported Data Breaches Involving Maryland Residents on the Rise

Data breaches continue to occur on a spectrum of small to significant scale that can affect businesses…

read more »
Maryland Takes on the SEC in Debate Over Fiduciary Standard of Care

The Maryland legislature may soon be considering legislation that would require Maryland-licensed…

read more »
Baltimore City Increases Recordation & Transfer Taxes for Some Real Estate Transactions

In a bid to provide a reliable source of funding for an affordable housing trust, Baltimore City Council…

read more »
Preparing, Adapting and Responding to Cyber Incidents: Marriott International Case Study

Cybersecurity is an issue that every company, of every size, must address as part of standard risk…

read more »
Changes in 2018 Maryland Condominium and HOA Laws

Several changes in Maryland condominium and HOA laws will affect the operation of condo and homeowners…

read more »