Insights

Home > News & Insights > Insights > Maryland Personal Information Protection Act

Share this on:   a b j c

Maryland Personal Information Protection Act

Published by on December 21, 2007

Beginning on January 1, 2008, Maryland businesses will have new obligations with respect to how they use and maintain personal information about individuals residing in the State.  The Maryland Personal Information Protection Act is a comprehensive data security law that seeks to provide individuals, including employees and job applicants, with increased privacy and security of […]

Beginning on January 1, 2008, Maryland businesses will have new obligations with respect to how they use and maintain personal information about individuals residing in the State.  The Maryland Personal Information Protection Act is a comprehensive data security law that seeks to provide individuals, including employees and job applicants, with increased privacy and security of their personal information.  It is designed to provide protection from identity theft.

Under the Act, Maryland businesses have two noteworthy obligations.  First, businesses must implement and maintain reasonable security procedures and practices to protect personal information it owns or licenses.  Second, businesses must notify state residents of any data breaches related to their computerized personal information.  This requirement is triggered when, after promptly conducting a reasonable investigation, the business determines that a misuse of the individual’s personal information has occured, or is reasonably likely to occur as a result of the breach.

Personal information is defined as an individual’s first name, or first initial and last name, in combination with his/her social security number, driver’s license number, individual tax ID number, or financial account number (including credit or debit cards), which together with password or security information would permit access to the account.  Information is not “personal information,” however, if it is encrypted, redacted or otherwise protected to render the information unreadable or unusable.

Maryland businesses will also have to ensure certain outside service providers maintain security procedures and practices to protect personal information as well.  Maryland businesses that use third parties to perform services, and disclose personal information about a Maryland resident to the third party, must include express provisions in the third-party services agreement that require the third party to implement and maintain reasonable security procedures and practices that are appropriate under the circumstances and are designed to protect the personal information from unauthorized use, access, modification, disclosure or destruction.  This provision of the Act is applicable to service contracts entered into beginning January 1, 2009.

Violations of the Maryland Personal Information Protection Act are considered unfair or deceptive trade practices.  Private lawsuits to enforce violations are available under Maryland law for such violations, including awards of attorneys’ fees.

(Contributed by Michael K. Wilson, Welter Law Firm, P.C.)

Topics: ,

Share:   a b j c