skip to main content
Experience List
  • Email Page
  • Create PDF
  • Print Page
Maryland Data Breach Statute


Md. Code Ann., Com. Law §§ 14-3501 – 14-3508

To print or save this summary, click here.


Quick Facts

Breach Based on
Harm Threshold

Deadline for
Consumer Notice

Notification Required


As soon as practicable but no longer than 45 days



More Details

Scope of this Summary Notification requirements applicable to businesses that own, license or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and Code of Md. Regulations provides additional notification requirements for health information exchanges.
Covered Info First name or first initial and last name, plus: Social Security number, tax identification number, passport number, or other federal government issued identification number; driver's license or state ID card number; an account number (including credit debit card number), in combination with any required security or access code or password that permits access to a financial account; health information (as defined by HIPAA); health insurance policy, certificate, or subscriber identification number, combined with a unique identifier that permits access to an individual’s health information; or unique biometric information.

OR username or email address plus password or security question/answer permitting access to an email account.
Form of Covered Info Electronic Only
Encryption Safe Harbor Statute does not apply to information that is encrypted, redacted or otherwise protected by another method that renders the info unreadable or unusable.
Breach Defined Unauthorized acquisition that compromises the security, confidentiality, or integrity of residents’ covered info, excluding certain good-faith acquisitions by employees or agents.
Consumer Notice Timing: Must be made as soon as reasonably practicable, but not later than 45 days after concluding investigation to determine whether info has been or will be misused, consistent with measures necessary to determine scope of the breach, identify those affected, or restore the integrity of the system.

Content: Notice must include: to the extent possible, a description of categories of info (including covered info) acquired; covered entity’s address, telephone number, and toll-free number (if maintained); toll-free numbers and addresses of the major CRAs; and toll-free numbers, addresses, and websites for the FTC and MD Attorney General, plus a statement that residents can obtain info from these sources about steps to avoid identity theft.

Method: In writing, by email (if resident expressly consented to receive electronic notices or if business is primarily conducted online), or by telephone. Substitute notice is available if certain criteria are satisfied. Electronic notice permitted in the case of a breach involving personal information that permits access to an email account only, but specific content and delivery requirements apply.
Delayed Notice Notification may be delayed if law enforcement determines that notice will impede a criminal investigation or jeopardize national or homeland security. Notice must be given as soon as reasonably practicable, but no longer than 30 days after law enforcement determines notice will not impede investigation or jeopardize security.
Harm Threshold Notification not required if, after investigation, covered entity determines that covered info has not and likely will not be misused as a result of the breach. Must document determination in writing and maintain for three years.
Government Notice If notice is required, must notify the MD Attorney General before providing consumer notice.
Consumer Agency Notice If required to notify 1,000 or more residents, must also notify all nationwide CRAs without unreasonable delay of timing, distribution, and content of the consumer notices.
Third-Party Notice If maintaining covered info on behalf of another entity, must notify that entity as soon as practicable, but not later than 45 days after discovery or notification of breach. Harm threshhold does not apply to third-party notice.
Potential Penalties Violations may result in civil penalties.


To print or save this summary, click here.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on February 8, 2018