Share this article on:
Maryland data breach notification law has been updated, with the definition of personal information now expanded. The current data breach notification statute in Maryland does not include health insurance information or data covered under the definition of the Health Insurance Portability and Accountability Act (HIPAA), although from January 1, 2018 that will change.
Maryland data breach notification law – specifically the Maryland Personal Information Protection Act – requires breach notification letters to be sent to all Maryland residents affected by a breach of personal information. Those notifications must be issued as soon as it is practicable to do so, but no later than 45 days after the discovery of a data breach that has resulted in personal information being misused or if it is likely that data could be misused.
The current definition of personal information includes a Maryland resident’s first and last name or initial and last name along with either a driver’s license number, Social Security number, financial account number, credit or debit card number (with a security code, expiry date or password that would allow the card to be used) or taxpayer identification number.
The new definition of personal information also includes, passport numbers, other federal government-issued ID numbers, state identification card numbers, any information covered by HIPAA Rules, biometric data, an email address in combination with a password or security question that permits access to the account, and health insurance policy information, certificate numbers, or subscriber ID numbers in combination with an identifier that allows the information to be used.
Businesses must implement and maintain reasonable security procedures and practices to protect the confidentiality of personal information. If personal information is disclosed to a third party, the business must state in its contracts with those third parties that reasonable security procedures and practices must be implemented and maintained.
However, “reasonable security procedures and practices” have not been defined in the new statue.