Maryland

Notification requirements applicable to businesses that own, license or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and Code of Md. Regulations 10.25.18.07-08 provides additional notification requirements for health information exchanges.

First name or first initial and last name, plus: Social Security number, tax identification number, passport number, or other federal government issued identification number; driver's license or state ID card number; an account number (including credit debit card number), in combination with any required security or access code or password that permits access to a financial account; health information (created by an entity subject to HIPAA); health insurance policy, certificate, or subscriber identification number, combined with a unique identifier that permits access to an individual’s health information; or unique biometric information.

OR username or email address plus password or security question/answer permitting access to an email account.

Electronic Only.

Statute does not apply to information that is encrypted, redacted or otherwise protected by another method that renders the info unreadable or unusable.

Unauthorized acquisition that compromises the security, confidentiality, or integrity of residents’ covered info, excluding certain good-faith acquisitions by employees or agents.

Timing: Must be made as soon as reasonably practicable, but not later than 45 days after concluding a good-faith and prompt investigation to determine whether info has been or will be misused, consistent with measures necessary to determine scope of the breach, identify those affected, or restore the integrity of the system.

Content: Notice must include: to the extent possible, a description of categories of info (including covered info) acquired; covered entity’s address, telephone number, and toll-free number (if maintained); toll-free numbers and addresses of the major CRAs; and toll-free numbers, addresses, and websites for the FTC and MD Attorney General, plus a statement that residents can obtain info from these sources about steps to avoid identity theft.

Method: By mail, by email (if resident expressly consented to receive electronic notices or if business is primarily conducted online), or by telephone. Substitute notice is available if certain criteria are satisfied. Electronic notice permitted in the case of a breach involving personal information that permits access to an email account only, but specific content and delivery requirements apply.

Notification may be delayed if law enforcement determines that notice will impede a criminal investigation or jeopardize national or homeland security. Notice must be given as soon as reasonably practicable, but no longer than 30 days after law enforcement determines notice will not impede investigation or jeopardize security.

Notification not required if, after investigation, covered entity determines that covered info has not and likely will not be misused as a result of the breach. Must document determination in writing and maintain for three years.

If notice is required, must notify the MD Attorney General before providing consumer notice.

If required to notify 1,000 or more residents, must also notify all nationwide CRAs without unreasonable delay of timing, distribution, and content of the consumer notices.

If maintaining covered info on behalf of another entity, must notify that entity as soon as practicable, but no later than 45 days after discovery or notification of breach. Harm threshhold does not apply to third-party notice. Businesses that maintain covered info on behalf of another entity may not charge that entity a fee for providing it information it needs in order to notify consumers.

Violations may result in civil or criminal penalties.