Businesses collecting and retaining personal information about Maryland residents are required by Maryland law to notify residents if their information is compromised. For a full list of what "personal information" includes, please see MD Commercial Code §14–3501 (e). As of October 1, 2022, Maryland law requires that businesses provide specific information in their notification to the Office of the Attorney General. For information on this notice requirement, please see MD Commercial Code §14-3504 (h).
Links to notices sent to the OAG in the last three years are listed on this webpage. Questions about specific notices may be directed to IDTheft@oag.state.md.us. Below is a chart containing the case number, date of the notice, business name, how many people are affected, what information was compromised, and how it was lost.