NB: This page summarizes current Maryland law. However, Maryland amended its data breach notification statute effective October 1, 2019. This page will be updated at that time.
Breach Based on Harm Threshold: YES
Deadline for Consumer Notice: As soon as practicable but no longer than 45 days after concluding investigation into the breach
Government Notification Required: YES
Scope of this Summary
First name or first initial and last name, plus: Social Security number, tax identification number, passport number, or other federal government issued identification number; driver's license or state ID card number; an account number (including credit debit card number), in combination with any required security or access code or password that permits access to a financial account; health information (created by an entity subject to HIPAA); health insurance policy, certificate, or subscriber identification number, combined with a unique identifier that permits access to an individual’s health information; or unique biometric information.
OR username or email address plus password or security question/answer permitting access to an email account.
Form of Covered Info
Encryption Safe Harbor
Timing: Must be made as soon as reasonably practicable, but not later than 45 days after concluding a good-faith and prompt investigation to determine whether info has been or will be misused, consistent with measures necessary to determine scope of the breach, identify those affected, or restore the integrity of the system.
Content: Notice must include: to the extent possible, a description of categories of info (including covered info) acquired; covered entity’s address, telephone number, and toll-free number (if maintained); toll-free numbers and addresses of the major CRAs; and toll-free numbers, addresses, and websites for the FTC and MD Attorney General, plus a statement that residents can obtain info from these sources about steps to avoid identity theft.
Method: By mail, by email (if resident expressly consented to receive electronic notices or if business is primarily conducted online), or by telephone. Substitute notice is available if certain criteria are satisfied. Electronic notice permitted in the case of a breach involving personal information that permits access to an email account only, but specific content and delivery requirements apply.