Maryland has updated its Personal Information Protection Act (“PIPA”), and while PIPA may not be considered a “comprehensive” privacy law, the revisions to PIPA enacted under House Bill 962 (“the Act” or “HB 962”) will bring some of PIPA’s provisions in line with the comprehensive data privacy laws recently enacted by a handful of other states, including Connecticut, Utah, and Virginia. The Maryland legislature enacted HB 962 without the governor’s signature on May 29, 2022, and it will take effect on October 1, 2022.
HB 962 requires a business that maintains personal information of an individual residing in the State to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information maintained and the nature and size of the business and its operations. See 14-3503(a).
HB 962 creates a risk of harm threshold for determining whether a breach triggers notification requirements. Once a business discovers that it incurred a breach of the security of a system, the Act requires the business to “conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information of the individual has been or will be misused as a result of the breach.” See 14-3504(b)(1). Significantly, “unless the business reasonably determines that the breach of the security of the system does not create a likelihood that personal information has been or will be misused, the owner or licensee of the computerized data shall notify the individual of the breach.” See 14-3504(b)(2). Thus, if the business determines that there is no likelihood of misuse of the personal information involved in a breach, notification requirements are not triggered. Risk of harm thresholds are baked into other state data breach notification laws. It’s also present in some well-known privacy regimes, like GDPR and HIPAA.
When individual notification requirements are triggered, there is now an expedited notification timeframe under HB 962. When such requirements are triggered, the Act requires that notice be given “as soon as reasonably practicable, but not later than 45 days after the business discovers or is notified of the breach of the security system.” See 14-3504(b)(3). This is a significant change, as the current deadline is within 45 days after the conclusion of the investigation. The Act will also require that a business that processes, but does not own or license, personal information of Maryland residents, notify the data’s owner or licensor of the breach as soon as practicable but no later than ten days from discovery of the breach. See 14-3504(c)(2).
The Act provides that notification shall be given by substitute notice “if the business does not have sufficient contact information to give notice” by means of written, email, or telephonic notice. See 14-3504(e)(4). Furthermore, substitute notice shall now consist of, among other things, notification to “major print or broadcast media in geographic areas where the individuals affected by the breach likely reside.” See 14-3504(f)(3).
Notice to the Attorney General
HB 962 specifies the content of the notice to the Office of the Attorney General (“OAG”), to which a business must provide notice of a breach of the security of a system prior to notifying individuals. See 14-3504(h). Notice to the OAG must include, at a minimum:
- The number of affected individuals residing in Maryland;
- A description of the breach of the breach of the security of a system, including when and how it occurred;
- Any steps the business has taken or plans to take relating to the breach; and
- The form of notice that will be sent to affected individuals and a sample notice.