HB 0148 – Commercial Law – Personal Information Protection Act

By Jim Amie

HB 0148 has passed the House and waiting for a Hearing date in the Senate Finance Committee. The new requirements have been underlined.

The bill requires a business that maintains (in addition to a business that owns or licenses) personal information of a Maryland resident to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information maintained and the nature and size of the business and its operations.

For a  business that maintains personal data, generally, the business must notify the owner or licensee of the breach as soon as practicable; however, the bill requires the notification to be provided within 10 days (rather than 45 days) after the business discovers (or is notified) of the breach.

If a required notification is delayed because a law enforcement agency determines that the notification will impede a criminal investigate or jeopardize homeland or national security, notification must be given as soon as reasonably practicable, but no later than 7 days (rather than 30 days) after the law enforcement agency makes the required determination.

The bill also modifies the methods for providing notification of breaches to individuals.  The bill requires (rather than authorizes) a business that owns, licenses, or maintains personal data to provide notification of the breach by written notice, electronic mail, telephone, or substitute notice. As under current law, notification by electronic mail may only be provided if specified conditions are met.  However, substitute notice may only be used if the business does not have sufficient contact information to give the other forms of notice as the bill repeals a provision allowing substitute notice  if the other forms of notice would be cost prohibitive.

In addition, the notification must be provided by (1) email, if the business has an email address for the individual; (2) conspicuous posting on the website of the business, if the business maintains a website; and (3) notification to major print or broadcast media in geographic areas where the individuals affected by the breach likely reside.

For data breaches involving a business that owns, licenses, or maintains personal information, the bill expands the information that must be included in a notice provided to the Office of the Attorney General.  At a minimum, the notice must include:

The number of affected Maryland residents;

A description of the breach, including when and how it occurred;

Any steps the business has taken (or plans to take) relating to the breach of the security of a       system; and;

The form of notice that will be sent to affected individuals and a sample notice.