Maryland Amends Its Personal Information Protection Act

On Could 29, 2022, the Maryland legislature enacted Home Invoice 962, which amends Maryland’s Private Data Safety Act (the “Act”). The amendments replace and make clear varied elements of the Act, together with, however not restricted to, the timeframe for reporting an information breach affected people, and content material necessities for offering discover to the Maryland Legal professional Normal.

Home Invoice 962 shortens the variety of days knowledge house owners and licensors, and their service suppliers, must report knowledge breaches to affected people. As soon as the amendments turn out to be efficient, knowledge house owners and licensors will likely be required to inform affected people inside 45 days of discovering or being notified of a breach, somewhat than inside 45 days of concluding their investigation into the breach, as was required by the earlier model of the Act. As well as, the timeframe for service suppliers to inform knowledge house owners and licensors of a breach has been shortened from 45 days to 10 days. The timeframe for an information proprietor or licensor to inform the Maryland Legal professional Normal has not modified; discover to the Legal professional Normal nonetheless have to be made upfront of discover to affected people.

Equally, in breaches the place notification is initially delayed as a result of regulation enforcement “determines that the notification will impede a felony investigation or jeopardize homeland or nationwide safety,” knowledge house owners and licensors, and their service suppliers, will not have 30 days to inform affected people after regulation enforcement determines notification is suitable. Now, knowledge house owners and licensors should make their required notifications inside the unique 45 day interval, or inside seven days thereafter if the 45 days have already got elapsed, whereas service suppliers have seven days to take action.

Home Invoice 962 additionally offers particular content material necessities for notification to the Maryland Legal professional Normal. Notifications should embrace, at a minimal: (1) the variety of affected people residing in Maryland; (2) an outline of the breach, together with when and the way it occurred; (3) any steps the enterprise has taken or plans to take regarding the breach; and (4) the type of the discover that will likely be despatched to affected Maryland residents and a pattern of that discover.

Different modifications to the Private Data Safety Act embrace clarifications to the definition of “genetic data” and to the substitute discover necessities. The amended Private Data Safety Act will take impact on October 1, 2022.