Our lawyers are thinkers as well as doers—and have published numerous informative and insightful articles on topics related to their respective practices and our clients’ industries. Read what our people have to say about what’s important to you.


Reported Data Breaches Involving Maryland Residents on the Rise

Data breaches continue to occur on a spectrum of small to significant scale that can affect businesses of all sizes. In January alone, the Maryland Attorney General’s “Maryland Information Security Breach Notices” noted ninety-four (94) data breaches involved Maryland residents.[1]

Out of the reported data breaches, personal information from 48,225 Maryland residents was potentially accessed and misused. 70% of the personal information obtained occurred through unauthorized access and inadvertent disclosures.[2]

Personal Information Protection Act (PIPA)

Under Maryland’s Personal Information Protection Act (“PIPA”), defines  personal information as an individual’s first and last name in combination with:

  • A Social Security number, an Individual Taxpayer Identification number, a passport number, or other identification number issued by the federal government;
  • A driver's license number or state identification card number;
  • An account number, a credit card number, or a debit card number, in combination with any required security code, access code, or password, that permits access to an individual's financial account;
  • Health information, including information about an individual's mental health;
  • A health insurance policy or certificate number or health insurance subscriber identification number, in combination with a unique identifier used by an insurer or an employer that is self-insured, that permits access to an individual's health information; or
  • Biometric data of an individual generated by automatic measurements of an individual's biological characteristics such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that can be used to uniquely authenticate the individual's identity when the individual accesses a system or account.[3]

P.A.R.© - Prepare. Adapt. Respond.


Spending the time and resources to prepare your company for a data breach or unauthorized access to information is the best and only way to mitigate the financial, reputational, and legal consequences of a data breach.


Companies need to take reasonable security measures to protect and safeguard the personal information of Maryland residents.[4] Further, companies must require third-party providers to implement and maintain reasonable security practices and procedures.[5]


Maryland defines a data breach as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the personal information maintained by a business.”[6] When a breach occurs, companies must take the appropriate steps to ensure compliance with state, federal, and international law.

Regarding Maryland law, first, the company must investigate the data breach. Second, if the company determines that the personal information obtained has or could be misused, within a reasonable time, but no longer than forty-five (45) days, the company must notify the Office of the Attorney General of the data breach before notifying the affected individuals. [7] Third, after notifying the Office of the Attorney General, the company must follow a specific and detailed process to notify affected individuals.[8] Finally, the company must maintain records that reflect its determination for three (3) years[9] after the investigation concludes.

If a company has personal information of individuals of other states or countries, the company must be cognizant of the necessary steps to take to comply with specific data protection and privacy laws.

Spencer P. Pollock, Esq., CIPP/US is an attorney at Niles, Barton & Wilmer, LLP, concentrating his practice in data security and privacy law, civil litigation, and insurance law. He is a Certified Information Privacy Professional (CIPP/US) who counsels and represents companies in navigating international, federal, and state privacy and data governance laws. Please contact our Data Security and Privacy group for more information.

[2] Id.
[3] Maryland Code, Commercial Law § 14-3501 to 14-3508.
[4] Maryland Code, Commercial Law § 14-3503(a).
[5] Maryland Code, Commercial Law § 14-3503(b).
[6] Maryland Code, Commercial Law § 14-3504(a).
[7] When the data breach involves a Maryland resident(s).
[8] Exceptions to the notice requirement apply under certain circumstances.
[9] Maryland Code, Commercial Law § 14-3504(b)(3).

see all Business and Corporate Law articles »
see all Commercial Litigation articles »

Past Articles

Regulation Best Interest: Higher Standards for Broker-Dealers, Strengthened Protections for Investor

On June 5, 2019, the U.S. Securities and Exchange Commission (“SEC”) approved a new regulation…

read more »
When “Going Green” Isn’t Attractive – MD Court of Special Appeals Determines HOA Architectural Commi

The Maryland Court of Special Appeals provides helpful guidelines to homeowners and HOAs in addressing…

read more »
Regulation Best Interest: Higher Standards for Broker-Dealers, Strengthened Protections for Clients

In June, the Securities and Exchange Commission (“SEC”) adopted a new regulation, Regulation…

read more »
The Requirements and Impact of the Insurance Data Security Model Law

The National Association of Insurance Commissioners recommended that states pass the Insurance Data…

read more »
SEC Imposes New Requirements for Brokers and Advisers in Adoption of Regulation Best Interest

On June 5, 2019, the Securities and Exchange Commission (SEC) approved the Regulation Best Interest,…

read more »