Maryland Amends Personal Information Protection Act’s Data Breach Notification Requirements
Recently, Maryland passed two bills that will amend the Maryland Personal Information Protection Act (“PIPA” or “Act’) breach notification requirements and the scope of businesses subject to these requirements.
Among other things, these amendments will:
Add a requirement to “implement and maintain reasonable security procedures and practices” to organizations who “maintain” personal information, in addition to those who own or license said information, as originally required by the Act;
Expand the definition of “genetic information” to generically include:
data, regardless of its format, that results from the analysis of a biological sample of the individual or from another source that enables equivalent information to be obtained and that concerns genetic material;
deoxyribonucleic acids;
ribonucleic acids;
genes;
chromosomes;
alleles;
genomes;
alterations or modifications to deoxyribonucleic acids or ribonucleic acids;
single nucleotide polymorphisms;
uninterrupted data that results from the analysis of a biological sample from the individual or other sources; and
information extrapolated, derived, or inferred from item 1, 2, 3, 4, 5, 6, 7, 8, 9, or 10 of this items.
Provide format and substance requirements for the notice that must be provided to the Office of the Attorney General upon the occurrence of a breach of the security of a covered entity’s system, including the number of affected Maryland individuals, the description of the breach that occurred, and the steps the business has taken or will take in response to this breach; and
Change the reporting time period required where a covered entity delays notification due to circumstances surrounding a law enforcement investigation from 30 days to 7 days following the law enforcement agency’s determination that the notification will not impede the investigation.
These amendments to the PIPA will go into effect on October 1, 2022.