Skip Navigation

6310 Hillside Court
Suite 160
Columbia, MD 21046

P. 410-290-0707



Baltimore, MD 

P. 410-962-1199

Data Breach: Updates to Maryland’s Personal Information Protection Act

In 2008, Maryland enacted the Personal Information Protection Act (“PIPA”) which placed statutory obligations on businesses to safeguard the personal information of Maryland consumers. When originally enacted, ‘personal information’ was identified as (1) social security number, (2) driver’s license number, (3) financial account number, including credit and debit card numbers, in combination with any code or password that would grant access to the financial account, and (4) individual taxpayer identification number.  PIPA placed the responsibility and obligation on businesses that own or license personal information of Maryland consumers to implement and maintain reasonable security procedures and practices to safeguard that information. The law also required businesses to investigate and subsequently notify consumers if a security breach occurred that could lead to possible misuse of personal information. 

Notices to consumers under PIPA must include the following: (1) a reasonable description of the information compromised,  (2) contact information for the business, including a toll-free number if available, (3) toll-free numbers and addresses for each of the three credit reporting agencies, (4) toll-free numbers, addresses, and websites for the Federal Trade Commission and the Maryland Office of the Attorney General, and (5) a statement that the individual can obtain information from these sources about steps to avoid identity theft.

Businesses also have an affirmative obligation under PIPA to notify the Maryland Office of the Attorney General before sending notice to consumers.  Businesses can find additional information on where and how to notify the Maryland Office of Attorney General here:

Throughout the years, Maryland’s legislature has enacted updates to PIPA.  In 2017, the definition of personal information was revised and expanded to include, (1) health information, including information about an individual's mental health; (2) a health insurance policy or certificate number or health insurance subscriber identification number, in combination with a unique identifier used by an insurer or an employer that is self-insured, that permits access to an individual's health information; and (3) biometric data of an individual generated by automatic measurements of an individual's biological characteristics such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that can be used to uniquely authenticate the individual's identity when the individual accesses a system or account, or,  user name or email address in combination with a password or security question and answer that permits access to an individual's email account.  The 2017 amendments also established a 45-day time period following conclusion of the businesses’ investigation to notify consumers if required.

The most recent amendments to PIPA took effect on October 1, 2019.  The 2019 amendments expand the reach of PIPA beyond just business that own or license personal information, but to businesses that maintain personal information as well.  While the amendment now requires businesses that maintain personal information conduct an investigation, the duty to notify consumers if an investigation results in a determination that personal information is likely to be misused still rests solely on the owner or licensee of the personal information.  The amendment does, however, restrict a business that maintains personal information from charging the owner or licensee a fee for providing information that the owner or licensee needs to issue notification under the law.  Finally, the 2019 amendments further restrict a business from using the information related to a security breach for any purpose other than (1) providing notification of the breach; (2) protecting or securing personal information; or (3) providing notification to national information security organizations created for information sharing and analysis of security threats, to alert and avert new or expanded breaches.

For a prior article on this law see 

BTLG Attorneys At Law

Talk to a lawyer

Bold labels are required.

News from BTLG:

Expansion of Definition of Race to Include Hairstyles
Effective October 1, 2020, the definition of race under Maryland discrimination laws has been expanded to also include hair styles
Maryland Economic Stabilization Act (“Mini Warn Law”)
Effective October 1, 2020, Maryland employers who employee 50 or more individuals are required to comply with updated mandatory provisions of the Maryland Economic Stabilization Act (“Mini Warn Law”)
Insurance Coverages for Businesses: Will your insurance cover you for a coronavirus-related loss?
Some insurance policies may allow for claims on coronavirus related losses
Maryland closes restaurants, gyms and theaters
Maryland Governor Hogan issued an Executive Order with further direct impact to Maryland business
More BTLG News