Skip Navigation

6310 Hillside Court
Suite 160
Columbia, MD 21046

P. 410-290-0707



Baltimore, MD 

P. 410-962-1199

MD Personal Information Protection Act

Maryland Personal Information Protection Act

Maryland businesses now have a statutory obligation to maintain the security of personal information of individuals.  Pursuant to the Maryland Personal Information Protection Act, effective January 1, 2008, Maryland businesses have certain obligations with regard to “personal information” of individuals with whom they do business or whose personal information is included in data records owned or licensed by the business.  The data covered by the new law is specific and limited: 

"Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data elements are not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable:

(i) A Social Security number;

(ii) A driver's license number;

(iii) A financial account number, including a credit card number or debit card number, that in combination with any required security code, access code, or password, would permit access to an individual's financial account; or

(iv) An Individual Taxpayer Identification Number.  Md Code, Commercial Law § 14-3501(d)(1).

Publicly available information, information consented for release, or information regulated by HIPAA are excepted.  Md Code, Commercial Law § 14-3501(d)(2).

When destroying customer records containing personal information, businesses must take reasonable steps to prevent unauthorized access or use of the personal information.  Md Code, Commercial Law § 14-3502.

Businesses that maintain personal information must “implement and maintain reasonable security procedures and practices”.  Md Code, Commercial Law § 14-3503.

Under certain circumstances, businesses have an obligation to conduct an investigation and notify individuals if there is a breach of security and possible mis-use of the personal information. Md Code, Commercial Law § 14-3504.

Violations of the statute are unfair and deceptive trade practices under the Maryland Consumer Protection Act.  Md Code, Commercial Law § 14-3508.

BTLG Attorneys At Law

Talk to a lawyer

Bold labels are required.

News from BTLG:

Expansion of Definition of Race to Include Hairstyles
Effective October 1, 2020, the definition of race under Maryland discrimination laws has been expanded to also include hair styles
Maryland Economic Stabilization Act (“Mini Warn Law”)
Effective October 1, 2020, Maryland employers who employee 50 or more individuals are required to comply with updated mandatory provisions of the Maryland Economic Stabilization Act (“Mini Warn Law”)
Insurance Coverages for Businesses: Will your insurance cover you for a coronavirus-related loss?
Some insurance policies may allow for claims on coronavirus related losses
Maryland closes restaurants, gyms and theaters
Maryland Governor Hogan issued an Executive Order with further direct impact to Maryland business
More BTLG News