In 2008, Maryland enacted the Personal Information Protection Act (“PIPA”) which placed statutory obligations on businesses to safeguard the personal information of Maryland consumers. When originally enacted, ‘personal information’ was identified as (1) social security number, (2) driver’s license number, (3) financial account number, including credit and debit card numbers, in combination with any code or password that would grant access to the financial account, and (4) individual taxpayer identification number. PIPA placed the responsibility and obligation on businesses that own or license personal information of Maryland consumers to implement and maintain reasonable security procedures and practices to safeguard that information. The law also required businesses to investigate and subsequently notify consumers if a security breach occurred that could lead to possible misuse of personal information.
Notices to consumers under PIPA must include the following: (1) a reasonable description of the information compromised, (2) contact information for the business, including a toll-free number if available, (3) toll-free numbers and addresses for each of the three credit reporting agencies, (4) toll-free numbers, addresses, and websites for the Federal Trade Commission and the Maryland Office of the Attorney General, and (5) a statement that the individual can obtain information from these sources about steps to avoid identity theft.
Businesses also have an affirmative obligation under PIPA to notify the Maryland Office of the Attorney General before sending notice to consumers. Businesses can find additional information on where and how to notify the Maryland Office of Attorney General here: http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/businessGL.aspx
Throughout the years, Maryland’s legislature has enacted updates to PIPA. In 2017, the definition of personal information was revised and expanded to include, (1) health information, including information about an individual's mental health; (2) a health insurance policy or certificate number or health insurance subscriber identification number, in combination with a unique identifier used by an insurer or an employer that is self-insured, that permits access to an individual's health information; and (3) biometric data of an individual generated by automatic measurements of an individual's biological characteristics such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that can be used to uniquely authenticate the individual's identity when the individual accesses a system or account, or, user name or email address in combination with a password or security question and answer that permits access to an individual's email account. The 2017 amendments also established a 45-day time period following conclusion of the businesses’ investigation to notify consumers if required.
The most recent amendments to PIPA took effect on October 1, 2019. The 2019 amendments expand the reach of PIPA beyond just business that own or license personal information, but to businesses that maintain personal information as well. While the amendment now requires businesses that maintain personal information conduct an investigation, the duty to notify consumers if an investigation results in a determination that personal information is likely to be misused still rests solely on the owner or licensee of the personal information. The amendment does, however, restrict a business that maintains personal information from charging the owner or licensee a fee for providing information that the owner or licensee needs to issue notification under the law. Finally, the 2019 amendments further restrict a business from using the information related to a security breach for any purpose other than (1) providing notification of the breach; (2) protecting or securing personal information; or (3) providing notification to national information security organizations created for information sharing and analysis of security threats, to alert and avert new or expanded breaches.
For a prior article on this law see http://www.btlg.us/News_and_Press/articles/Personal%20Information%20Protection%20Act