Maryland Personal Information Protection Act

The Maryland Personal Information Protection Act was amended in May 2017.

The changes became effective on Jan. 1, 2018.

The amended Maryland Personal Information Protection Act have the following changes:

  • The new law expands the definition of personal information
  • Requires notification of the breach to be done within a 45-day timeframe
  • Allows for an alternative notification by e-mail, under certain circumstances
  • Expands the covered customer records subject to Maryland’s destruction of records laws.

The new law took effect on January 1, 2018.

The following are defined as “personal information” under the Maryland’s PIP Act:

     first name or first initial and last name combined with any of the following:

     social security number;

     driver’s license number;

     financial account number, including a credit or debit card number, in combination with any                security code, or password;

     individual taxpayer ID number.

The new law expands that definition to include:

     passport numbers or any other ID numbers issued by the federal government

    state ID card numbers;

     health information such as medical history, condition, treatment, or diagnosis;

     health insurance policy, subscriber ID number, in combination with a unique identifier that permits access to the information;

     biometric data, such as a fingerprint, genetic print, retina or iris image, or other unique  characteristic;

     user name or e-mail address in combination with a password or security question that permits access to the account.

It is more important today to make sure that your business is protected for a data breach. If you are not sure you have the proper coverage, please contact our office for a complete review.  Not all policies are the same and it is very important that you have a comprehensive Cyber Security/Data Breach policy that will provide the proper protection.