Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: As soon as practicable but no longer than 45 days after concluding investigation into the breach
Government Notification Required: Yes
Scope of this Summary:
Notification requirements applicable to businesses that own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and Code of Md. Regulations 10.25.18.07-08 provides additional notification requirements for health information exchanges.
Risk of Harm Threshold
Notification not required if the business reasonably determines that the breach of the security of the system does not create a likelihood that personal information has been or will be misused. Must document determination in writing and maintain for three years.
Unauthorized acquisition that compromises the security, confidentiality, or integrity of residents' covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted, redacted, or otherwise protected by another method that renders the info unreadable or unusable.
Form of Covered Info
- An individual's first name or first initial and last name in combination with any one or more of the following data elements:
- A Social Security number, an individual taxpayer identification number, a passport number, or other identification number issued by the federal government;
- A driver's license number or state identification card number;
- An account number, a credit card number, or a debit card number, in combination with any required security code, access code, or password that permits access to an individual's financial account;
- Health information, including information about an individual's mental health;
- A health insurance policy or certificate number or health insurance subscriber identification number, in combination with a unique identifier used by an insurer or an employer that is self-insured, that permits access to an individual's medical health information;
- Biometric data of an individual generated by automatic measurements of an individual's biological characteristics such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that can be used to uniquely authenticate the individual's identity when the individual accesses a system or account;
- Genetic information with respect to an individual.
- A username or email address in combination with a password or security question and answer that permits access to an individual's email account.
Consumer Notice Timing
Must be made as soon as reasonably practicable but no later than 45 days after the business discovers or is notified of the breach of the security of a system.
Consumer Notice Method
By mail, by email (if resident expressly consented to receive electronic notices or if business is primarily conducted online), or by telephone. Substitute notice is available if certain criteria are satisfied. Electronic notice permitted in the case of a breach involving personal information that permits access to an email account only, but specific content and delivery requirements apply.
Consumer Notice Content
- To the extent possible, the notification shall include:
- A description of the categories of information that were, or are reasonably believed to have been, acquired by an unauthorized person, including which of the elements of personal information were, or are reasonably believed to have been, acquired.
- Contact information for the business making the notification, including the business' address, telephone number, and toll-free telephone number if one is maintained.
- The toll-free telephone numbers and addresses for the major Consumer Reporting Agencies.
- The toll-free telephone numbers, addresses, and website addresses for: The Federal Trade Commission and the Office of the Attorney General.
- A statement that an individual can obtain information from these sources about steps the individual can take to avoid identity theft.
- If a breach involves only a username or email address in combination with a password or security question and answer that permits access to the user's email account (and no other personal information), then an entity may comply with the notification requirements under the general statute by directing the individual to promptly:
- Change their password and security question or answer, as applicable; or
- Take other steps appropriate to protect the email account with the entity and all other online accounts for which the individual uses the same username or email and password or security question or answer.
Notification may be delayed: (1) if law enforcement determines that notice will impede a criminal investigation or jeopardize national or homeland security; or (2) to determine the scope of the breach of the security of a system, identify the individuals affected, or restore the integrity of the system. Notice to affected individuals that is delayed due to law enforcement must be given within seven days after law enforcement determines notice will not impede investigation or jeopardize security or by the end of the original 45-day period.
If notice is required, must notify the MD Attorney General before providing consumer notice. The notice should include a copy of the notice sent to the consumers and a brief description that includes the nature of the breach, the type of affected personal information, and any steps taken to restore the integrity of the system.
Consumer Reporting Agency Notice
If required to notify 1,000 or more residents, must also notify all nationwide Consumer Reporting Agencies without unreasonable delay of timing, distribution, and content of the consumer notices.
Exceptions for Other Laws
The statute includes certain exceptions for any business that Is subject to and in compliance with:
- the Gramm-Leach Bliley Act;
- Section 216 (the ""Disposal Rule"") of the Fair and Accurate Credit Transactions Act (15 U.S.C. § 1681w);
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- The Interagency Guidelines Establishing Information Security Standards (66 Fed. Reg. 8616 (Feb. 1, 2001) and 69 Fed. Reg. 77,610 (Dec. 28, 2004)) and Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (70 Fed. Reg. 15,736 (March 29, 2005).
If maintaining covered info on behalf of another entity, must notify that entity as soon as practicable but no later than 45 days after discovery or notification of breach. Harm threshold does not apply to third-party notice. Businesses that maintain covered info on behalf of another entity may not charge that entity a fee for providing it information it needs in order to notify consumers.
Private Right of Action
A violation of the Maryland general breach notification statute is an unfair or deceptive trade practice under the Maryland Consumer Protection Act, for which an injured person may bring a private action to recover actual damages
Violations may result in civil penalties.