Articles

Client Alert: Changes to Maryland Personal Information Protection Act

Businesses Must Investigate Security Incidents & Provide Notice

Date: September 29, 2022

By: S. Keith Moulsdale

The Maryland Personal Information Protection Act (“MPIPA”) requires businesses to implement reasonable security procedures and practices to protect individuals’ “personal information” from unauthorized access, use, modification or disclosure, including when destroying records that contain personal information. These requirements must be passed-on, pursuant to a written contract, with service providers that are given access by businesses to personal information. MPIPA also requires that businesses notify individuals whose personal information has been breached.

MPIPA was amended by House Bill 962 during the 2022 legislative session; the amendment goes into effect on October 1, 2022. The amendment expands the definition of personal information to include genetic information about individuals.

The amendment also changes the standard by which a business must assess whether notice of a security breach is required. MPIPA currently requires that notice be given if, following an investigation of a security breach, a business determines that the breach creates a likelihood that personal information has been or will be misused. The amendment will now require that notice of a breach must be given unless a business reasonably determines that a breach does not create a likelihood that personal information has been or will be misused. Thus, in effect, the new law creates a presumption that notice shall be given in the event of a security breach.

In addition, the amendment shortens the time by which notice of a breach must be given to individuals from 45 days following the conclusion of an investigation to 45 days following discovery of a breach or from being notified of a breach (for example, by a service provider). The time period for a service provider to notify a data owner or licensee of a breach has been shortened from 45 to 10 days after the service provider discovers or is notified of a breach.

In cases where law enforcement has requested that notification should be delayed, under the amendment, notice must be given within seven days after law enforcement determines that notice no longer need be delayed if the original 45-day period has not elapsed, or at the end of the original 45-day period.

These changes to Maryland law require that businesses act quickly to investigate and mitigate security incidents that potentially involve individuals’ personal information. The privacy lawyers at WTP routinely assist with and oversee such investigations, working closely with forensic investigators and, in many cases, law enforcement agencies. We also routinely counsel clients regarding their notification obligations.

The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.