As the crime of identity theft has grown, lawmakers have worked to protect consumers' personal information from identity thieves. The Personal Information Protection Act (PIPA), Md. Code Ann. Comm. Law 14-3504, was enacted to make sure that Maryland consumers' personal identifying information is reasonably protected, and if it is compromised, they are notified so that they can take steps to protect themselves. PIPA contains provisions for notification of consumers in the event of a data security breach and for reasonable security measures to protect consumers' personal identifying information.
PIPA defines “personal information" as:
A “security breach" is defined as the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. If a business experiences a security breach where personal information that, combined, may pose a threat to a consumer if misused, that business must notify any affected consumers residing in Maryland. Once a security breach is detected, a business must conduct in good-faith a reasonable and prompt investigation to determine whether the information that has been compromised has been or is likely to be misused, i.e., for identity theft. If the investigation shows that there is a reasonable chance that the data will be misused, that business must notify the affected consumers.
In the event of a security breach, notice must be given to consumers with 45 days. A business may delay notification if requested by a law enforcement agency or to determine the scope of the breach, identify all the affected individuals, or restore the integrity of the system. Notice to the affected consumer must be given in writing and sent to the most recent address of the individual, or by telephone to the most recent phone number. Notice may be sent via email if an individual has already consented to receive electronic notices or the business primarily conducts its business via the Internet. The law also contains a provision for substitute notice, allowing a business to provide notice of a security breach by email, posting on its website, and notice to statewide media if the cost of notice would exceed $100,000 or the number of consumers to be notified exceeds 175,000 individuals.
Prior to sending notification to consumers, PIPA states that a business must notify the OAG. Include a brief description of the nature of the security breach, the number of Maryland residents being notified (also attach a sample copy of the notice being sent to consumers), what information has been compromised, and any steps the business is taking to restore the integrity of the system, and send to the OAG:
Please direct any questions to Jeff Karberg, administrator of the Identity Theft Program, at (410) 576-6574.
When a business is destroying records that contain personal information, it must take reasonable steps to protect against unauthorized access to or use of the personal information. A business that owns or licenses personal information must implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information and nature and size of business. If a business uses a non-affiliated third party to perform services and discloses personal information to the third party, the contract must require the third party to implement and maintain reasonable security procedures.
If a business' primary or functional regulator has rules, regulations, or policies regarding protection of personal information and notice, and is in compliance with those rules, that business will be deemed to be in compliance with PIPA. Similarly, compliance with the Gramm-Leach-Bliley Act or other specified federal laws is deemed to be in compliance with Maryland law.
A violation of the Maryland Personal Information Protection Act is an unfair or deceptive trade practice as defined by the Maryland Consumer Protection Act.
200 St. Paul Place, Baltimore, MD 21202
410-576-6300 / En español 410-230-1712 / 1-888-743-0023 toll-free / TTY: Dial 7-1-1 or 800-735-2258