State Regulatory Developments

Maryland Amends Personal Information Protection Act

On May 29, 2022, the Governor of Maryland signed House Bill 962 (HB 962) into law which amends and clarifies the Maryland Personal Information Protection Act. The purpose of this amendment, among other things, is to: (1) require “a business that maintains personal information of an individual residing in [Maryland] to implement and maintain certain security procedures and practices”; and (2) alter “certain requirements related to notifications of breaches of the security of systems, including the circumstances under which the owner or licensee of certain computerized data is required to notify certain individuals of a breach.”

Existing Maryland law only requires businesses that own or license personal information of an individual residing in Maryland to “implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information…and the nature and size of the business and its operations.” HB 962 amends the previous law to include businesses that maintain such information as well as those who own or license it.

HB 962 also alters notice requirements when there has been a breach to security systems by clarifying the definition of personal information, adjusting the time frame in which businesses are required to notify individuals of breach, and adding the minimum information required in the notice itself.

These changes are effective October 1, 2022.