State Regulatory Developments

Maryland Amends its Data Breach Notification Requirements

Maryland Governor Larry Hogan recently approved a bill, House Bill 1154 (HB 1154), which modifies the Maryland Personal Information Protection Act (MPIPA). MPIPA provides the data breach notification requirements for companies in Maryland.  The changes made by HB 1154 go into effect on October 1, 2019.

Previously, only businesses that owned or licensed computerized data containing personal information of Maryland residents were subject to MPIPA’s provisions governing the procedures for responding to data security breaches.  Pursuant to HB 1154, a company that maintains such computerized data is also now covered under those provisions.

Additionally, if a business that incurs a breach of a security system (i.e., a data breach) is not the owner or licensee of the computerized data, HB 1154 provides that such business may not charge a fee to the owner or licensee of the data for providing breach notifications to individuals who may be impacted by the breach.

HB 1154 also prohibits owners and licensees of computerized data from using information relative to a breach of a security system for purposes other than: (1) providing notification of the breach; (2) protecting or securing personal information; or (3) providing notification to national information security organizations to alert and avert new or expanded breaches.