HR Alert

Maryland Amends Personal Information Protection Act

Amended Law Effective January 1, 2018

Maryland has amended its Personal Information Protection Act, which (among other things) imposes certain employer investigation and notice requirements. Highlights of the amended law are presented below.

Definitions of 'Personal Information'
The amended law contains two different definitions of "personal information." First, "personal information" generally means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data elements are not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable:

  • A Social Security number, an individual taxpayer identification number, a passport number, or other identification number issued by the federal government;
  • A driver's license number or state identification card number;
  • An account number, a credit card number, or a debit card number--in combination with any required security code, access code, or password--that permits access to an individual's financial account;
  • Health information, including information about an individual's mental health;
  • A health insurance policy or certificate number or health insurance subscriber identification number, in combination with a unique identifier used by an insurer or an employer that is self-insured, that permits access to an individual's health information; or
  • Biometric data of an individual generated by automatic measurements of an individual's biological characteristics such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that can be used to uniquely authenticate the individual's identity when the individual accesses a system or account.

Alternatively, "personal information" generally means a user name or email address in combination with a password or security question and answer that permits access to an individual's email account.

Breach Investigation and Notification
A business that owns or licenses computerized data that includes personal information of an individual residing in Maryland, when it discovers or is notified of a breach of the security of a system, must conduct in good faith a reasonable and prompt investigation to determine the likelihood that the individual's personal information has been or will be misused as a result of the breach.

If, after the investigation is concluded, the business determines that the breach of the security of the system creates a likelihood that personal information has been or will be misused, the business must notify the individual of the breach. The required notification generally must be given as soon as reasonably practicable, but not later than 45 days after the business concludes the required investigation. However, if the required notification is delayed by law enforcement as provided under the law, different notice requirements may apply. Click here for more information (section: 14-3504(d)).

Note: Prior to giving the required notification described in the paragraph immediately above, a business must provide notice of a breach of the security of a system to the Maryland Attorney General (in compliance with certain provisions (section: 14-3504(d)) that may delay such notification).

Additional details and requirements are contained in the text of the amended law. The amended law is effective January 1, 2018.


Close
Login to HRSPI Client Portal
Username:
Password:
Forgotten PasswordForgot Password
Executive Search Executive Search

Harrassment Prevention

HRSPI offers comprehensive, interactive, AB 1825 and SB 1343 compliant training. Programs include introduction to recent anti-bullying legislation.

Latest News

News Archives

Latest Blog

Blog Archives