Amended Law Effective January 1, 2018
Maryland has amended its Personal Information Protection Act (PIPA), which (among other things) imposes certain employer investigation and notice requirements. Highlights of the amended law are presented below.
If a business' primary or functional regulator has rules, regulations, or policies regarding protection of personal information and notice, and is in compliance with those rules, that business will be deemed to be in compliance with PIPA. Similarly, compliance with the Gramm-Leach-Bliley Act or other specified federal laws is deemed to be in compliance with Maryland law.
PIPA defines “Personal information” as an individual's first and last name in combination with a:
- Social Security Number
- Driver's License Number
- Financial Account Number
- Individual Taxpayer Identification Number
unless the information is encrypted, redacted or otherwise rendered unusable.
A “security breach” is defined as the unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information.
If a business experiences a security breach where personal information that, combined, may pose a threat to a consumer if misused, that business must notify any affected consumers residing in Maryland.
Once a security breach is detected, a business must conduct in good-faith a reasonable and prompt investigation to determine whether the information that has been compromised has been or is likely to be misused, i.e. for identity theft.
If the investigation shows that there is a reasonable chance that the data will be misused, that business must notify the affected consumers.