Quick Facts
Breach Based on Harm Threshold: YES
Deadline for Consumer Notice: As soon as practicable but no longer than 45 days after concluding investigation into the breach
Government Notification Required: YES
More Details
Scope of this Summary
Covered Info
First name or first initial and last name, plus: Social Security number, tax identification number, passport number, or other federal government issued identification number; driver's license or state ID card number; an account number (including credit debit card number), in combination with any required security or access code or password that permits access to a financial account; health information (created by an entity subject to HIPAA); health insurance policy, certificate, or subscriber identification number, combined with a unique identifier that permits access to an individual’s health information; or unique biometric information.
OR username or email address plus password or security question/answer permitting access to an email account.
Form of Covered Info
Encryption Safe Harbor
Breach Defined
Consumer Notice
Timing: Must be made as soon as reasonably practicable, but not later than 45 days after concluding a good-faith and prompt investigation to determine whether info has been or will be misused, consistent with measures necessary to determine scope of the breach, identify those affected, or restore the integrity of the system.
Content: Notice must include: to the extent possible, a description of categories of info (including covered info) acquired; covered entity’s address, telephone number, and toll-free number (if maintained); toll-free numbers and addresses of the major CRAs; and toll-free numbers, addresses, and websites for the FTC and MD Attorney General, plus a statement that residents can obtain info from these sources about steps to avoid identity theft.
Method: By mail, by email (if resident expressly consented to receive electronic notices or if business is primarily conducted online), or by telephone. Substitute notice is available if certain criteria are satisfied. Electronic notice permitted in the case of a breach involving personal information that permits access to an email account only, but specific content and delivery requirements apply.
Delayed Notice
Harm Threshold
Government Notice
Consumer Reporting Agency Notice
Third-Party Notice
Potential Penalties
This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.
Last revised on October 7, 2019