As the crime of identity
theft has grown, lawmakers have worked to protect consumers' personal
information from identity thieves. The Personal Information Protection Act
(PIPA), Md. Code Ann. Comm. Law 14-3504 was enacted to make sure that Maryland
consumers' personal identifying information is reasonably protected, and if it
is compromised, they are notified so that they can take steps to protect
themselves. PIPA contains provisions for notification of consumers in the event
of a data security breach and for reasonable security measures to protect
consumers' personal identifying information.
PIPA defines “Personal information” as an
individual's first and last name in combination with a: Social Security Number,
Driver's License Number, Financial Account Number or Individual Taxpayer
Identification Number unless the information is encrypted, redacted or otherwise
rendered unusable. A “security breach” is defined as the unauthorized
acquisition of computerized data that compromises the security, confidentiality
or integrity of personal information. If a business experiences a security
breach where personal information that, combined, may pose a threat to a
consumer if misused, that business must notify any affected consumers residing
in Maryland. Once a security breach is detected, a business must conduct in
good-faith a reasonable and prompt investigation to determine whether the
information that has been compromised has been or is likely to be misused, i.e.
for identity theft. If the investigation shows that there is a reasonable chance
that the data will be misused, that business must notify the affected consumers.
In the event of a
security breach, notice must be given to consumers as soon as reasonably
practicable following the investigation. A business may delay notification if
requested by a law enforcement agency or to determine the scope of the breach,
identify all the affected individuals or restore the integrity of the system.
Notice to affected consumer must be given in writing and sent to the most recent
address of the individual, or by telephone to the most recent phone number.
Notice may be sent via e-mail if an individual has already consented to receive
electronic notice or the business primarily conducts its business via the
Internet. The law also contains a provision for substitute notice, allowing a
business to provide notice of a security breach by e-mail, posting on its
website and notice to statewide media if the cost of notice would exceed
$100,000 or the number of consumers to be notified exceeds 175,000
Description of the
information for the business, including a toll-free number if the business has
and addresses for each of the three credit reporting agencies: Equifax, Experian
addresses and Websites for the Federal Trade Commission (FTC) and the Office of
the Attorney General (OAG).
A statement that
the individual can obtain information from these sources about steps to avoid
Prior to sending
notification to consumers, PIPA states that a business must notify the OAG.
Include a brief description of the nature of the security breach, the number of
Maryland residents being notified, what information has been compromised, and
any steps the business is taking to restore the integrity of the system. Also
attach a sample copy of the notice being sent to consumers and send to the
U.S. Mail:Office of the Attorney GeneralAttn: Security
Breach Notification200 St. Paul PlaceBaltimore, MD 21202
Fax: Attn: Security Breach Notification(410)
Please direct any
questions to Jeff Karberg, Administrator of the Identity Theft Program at (410)
When a business is
destroying records that contain personal information, it must take reasonable
steps to protect against unauthorized access to or use of the personal
information. A business that owns or licenses personal information must
implement and maintain reasonable security procedures and practices appropriate
to nature of the personal information and nature and size of business. If a
business uses a non-affiliated third party to perform services and discloses
personal information to the third party, the contract must require the third
party to implement and maintain reasonable security procedures (eff.
If a business'
primary or functional regulator has rules, regulations or policies regarding
protection of personal information and notice, and is in compliance with those
rules, that business will be deemed to be in compliance with PIPA. Similarly,
compliance with the Gramm-Leach-Bliley Act or other specified federal laws is
deemed to be in compliance with Maryland law.
A violation of the
Maryland Personal Protection Act is an unfair or deceptive trade practice as
defined by the Maryland Consumer Protection Act.
200 St. Paul Place, Baltimore, MD 21202
410-576-6300 / En español 410-230-1712 / 1-888-743-0023 toll-free / TDD: 410-576-6372