Skip to content
DWT logo
People Expertise Insights
About Locations Careers
Search
People
Expertise
Insights
About
Locations
Careers
Search

Maryland

See the Summary of U.S. State Data Breach Maps

Quick Facts

Breach Based on Harm Threshold: YES
Deadline for Consumer Notice: As soon as practicable but no longer than 45 days after concluding investigation into the breach
Government Notification Required: YES

Md. Code Ann., Com. Law §§ 14-3501 – 14-3508

More Details

Scope of this Summary

Notification requirements applicable to businesses that own, license or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and Code of Md. Regulations 10.25.18.07-08 provides additional notification requirements for health information exchanges.

Covered Info

First name or first initial and last name, plus: Social Security number, tax identification number, passport number, or other federal government issued identification number; driver's license or state ID card number; an account number (including credit debit card number), in combination with any required security or access code or password that permits access to a financial account; health information (created by an entity subject to HIPAA); health insurance policy, certificate, or subscriber identification number, combined with a unique identifier that permits access to an individual’s health information; or unique biometric information.

OR username or email address plus password or security question/answer permitting access to an email account.

Form of Covered Info

Electronic Only.

Encryption Safe Harbor

Statute does not apply to information that is encrypted, redacted or otherwise protected by another method that renders the info unreadable or unusable.

Breach Defined

Unauthorized acquisition that compromises the security, confidentiality, or integrity of residents’ covered info, excluding certain good-faith acquisitions by employees or agents.

Consumer Notice

Timing: Must be made as soon as reasonably practicable, but not later than 45 days after concluding a good-faith and prompt investigation to determine whether info has been or will be misused, consistent with measures necessary to determine scope of the breach, identify those affected, or restore the integrity of the system.

Content: Notice must include: to the extent possible, a description of categories of info (including covered info) acquired; covered entity’s address, telephone number, and toll-free number (if maintained); toll-free numbers and addresses of the major CRAs; and toll-free numbers, addresses, and websites for the FTC and MD Attorney General, plus a statement that residents can obtain info from these sources about steps to avoid identity theft.

Method: By mail, by email (if resident expressly consented to receive electronic notices or if business is primarily conducted online), or by telephone. Substitute notice is available if certain criteria are satisfied. Electronic notice permitted in the case of a breach involving personal information that permits access to an email account only, but specific content and delivery requirements apply.

Delayed Notice

Notification may be delayed if law enforcement determines that notice will impede a criminal investigation or jeopardize national or homeland security. Notice must be given as soon as reasonably practicable, but no longer than 30 days after law enforcement determines notice will not impede investigation or jeopardize security.

Harm Threshold

Notification not required if, after investigation, covered entity determines that covered info has not and likely will not be misused as a result of the breach. Must document determination in writing and maintain for three years.

Government Notice

If notice is required, must notify the MD Attorney General before providing consumer notice.

Consumer Reporting Agency Notice

If required to notify 1,000 or more residents, must also notify all nationwide CRAs without unreasonable delay of timing, distribution, and content of the consumer notices.

Third-Party Notice

If maintaining covered info on behalf of another entity, must notify that entity as soon as practicable, but no later than 45 days after discovery or notification of breach. Harm threshhold does not apply to third-party notice. Businesses that maintain covered info on behalf of another entity may not charge that entity a fee for providing it information it needs in order to notify consumers.

Potential Penalties

Violations may result in civil or criminal penalties.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on October 7, 2019

DWT logo
©1996-2020 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Prior results do not guarantee a similar outcome.
NAVIGATE
Home People Expertise Insights
About Locations Careers Events Blogs
STAY CONNECTED

Subscribe to stay informed.

Subscribe
Employee Login
DWT Connect
EEO
Affiliations
Legal notices
Privacy policy
©1996-2020 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Prior results do not guarantee a similar outcome.
Close
Close

CAUTION - Before you proceed, please note: By clicking “accept” you agree that our review of the information contained in your e-mail and any attachments will not create an attorney-client relationship, and will not prevent any lawyer in our firm from representing a party in any matter where that information is relevant, even if you submitted the information in good faith to retain us.