An Overview of the Maryland Personal Information Protection Act
The Maryland Personal Information Protection Act (PIPA) is a privacy law aimed at protecting the privacy of the residents of the State of Maryland.
Although Maryland’s privacy laws are not completely comprehensive in the same vein as California’s consumer privacy laws, they do aim to address public concern over the way data is protected.
Businesses serving Maryland residents must be aware of these consumer privacy laws and take steps to achieve compliance. Failure to do so can lead to severe financial penalties.
Here’s what you need to know about Maryland privacy laws.
What is the Maryland Personal Information Protection Act (PIPA)?
The Maryland Personal Information Protection Act came into effect in January 2008. Also known as the Maryland Data Breach Notification Law, it’s been regularly amended in response to the growing number of data breaches, whereby consumer data has been lost, stolen, or sold without authorization.
It details how businesses collect, use, and disclose data, as well as detailing the rights of consumers with regards to their personal data.
What is Personal Information?
Maryland data privacy laws specifically define what counts as personal information. This includes a Maryland resident’s first and last names or their initials. However, this information must be in combination with one or more of the following:
· Official ID numbers, such as Social Security, passport, driver’s license, or tax identification numbers.
· Financial numbers, such as account, credit card, or debit card numbers.
· Personal health information, such as details of health insurance policies.
· Biometric data.
If a business already complies with Federal data protection laws or the more extensive consumer privacy laws of a state like California, the Maryland authorities will consider a business to be in compliance.
The chances are your business already complies with Maryland data privacy laws.
The majority of compliance consists of organizations implementing a reasonable level of security to protect personal information. This requires creating, adopting, and maintaining a written security policy. It also requires businesses to take reasonable steps to prevent unauthorized access to personal information,
Notification of Security Breach
The Maryland data breach notification requirements are the main obligations businesses have when handling the personal information of Maryland residents.
If there is a security breach, businesses are required to inform affected consumers within 45 days of the breach. The business must also conduct a prompt investigation into the breach.
Notices must be made to consumers in writing unless more than 175,000 people are affected, in which case a post on the website or via email is acceptable. Any notice must urge the consumer to change their passwords and security questions.
A security breach notification must detail all compromised information, provide the business’s contact information, and provide a statement that informs consumers how they can get advice on preventing identity theft via the FTC and OAG.
It also must include the following third-party addresses and toll-free numbers:
· TransUnion, Experian, and Equifax (the main credit reporting agencies).
· The Maryland Office of the Attorney General (OAG).
· The Federal Trade Commission (FTC).
Amendments were made to the Maryland data privacy laws in 2019 to expand the mandate of PIPA.
The laws now apply not only to businesses that own or license personal information but to businesses that maintain it.
The 2019 amendments require organizations to conduct an investigation in the event of a breach and restricts how businesses can use breach related information.
Under the new rules, businesses may only use breach-related data to notify affected consumers, protect personal information, and to inform national information security bodies about the breach.
Does Maryland’s PIPA Apply to My Business?
The provisions of the Maryland Personal Information Protection Act previously only applied to businesses that owned or licensed the personal information of the state’s residents.
The 2019 amendments to the Maryland breach notification law required all businesses that maintain personal information to comply with PIPA.
In other words, if your organization does business within Maryland and it licenses, maintains, or owns the personal information of Maryland residents, PIPA now applies to your business.
The laws apply regardless of the size of your business and whether or not you’re physically located within the state.
Penalties for Non-Compliance
A violation of Maryland privacy laws is classified as a deceptive or unfair trade practice, according to the Consumer Protection Act of Maryland. In other words, violations can be classified as a criminal offense.
Civil penalties start at $1,000 for a first violation and $5,000 for subsequent violations. The law also allows for private consumers to not only sue for damages, but they may also sue to recover attorney fees.
The threat of private legal action means that organizations that fail to secure consumers’ personal information properly could find themselves facing expensive legal battles, with potentially unlimited financial penalties.