Maryland recognized the urgency for comprehensive legislation aimed at protecting consumers’ privacy rights and took proactive steps to address it, leading to the enactment of the Personal Information Protection Act in 2017.
Over time, the PIPA has undergone recent amendments under House Bill 962, further enhancing its effectiveness and adapting it to the evolving digital landscape.
In this guide, we’ll explore the details of the Maryland Personal Information Protection Act, shedding light on its origins, core provisions, the significant impact of House Bill 962, and, most importantly, how your business can comply with its provisions.
- Maryland’s Personal Information Protection Act (PIPA) is a comprehensive framework aimed at protecting the personal identifying information of Maryland consumers and ensuring its security.
- PIPA requires businesses and organizations to implement reasonable security measures and promptly notify affected individuals and the Maryland Office of the Attorney General in case of a security breach.
- House Bill 962 reduces the notification window for breaches, shortens the notification period for third-party data handlers, expands the definition of personal information, and allows electronic notifications.
Table of Contents
What Is Maryland’s Personal Information Protection Act (PIPA)?
Maryland’s Personal Information Protection Act (PIPA) is a comprehensive legal framework designed to ensure that Maryland consumers’ personal identifying information remains secure and protected in an age where data breaches and identity theft are of growing concern. It also includes provisions for prompt notifications in case of security threats and breaches.
PIPA applies to a wide range of entities operating within Maryland. This includes businesses, corporations, government agencies, non-profit organizations, and other entities that collect, store, or handle personal information.
One of the key provisions of PIPA is to implement reasonable security measures. This means that businesses must establish and maintain reasonable security procedures and practices about the nature of the personal information they handle and the size and scope of their operations.
This state privacy law also emphasizes prompt notification in cases of security breaches. According to PIPA’s mandates, businesses must promptly notify affected individuals and the Maryland Office of the Attorney General not later than 45 days of the breach incident.
The notification should include essential information about the breach incident and steps individuals can take to protect themselves.
What Is the House Bill 962?
House Bill 962 is a legislative enactment that took effect on October 1, 2022 and introduced significant amendments to Maryland’s Personal Information Protection Act.
PIPA was enacted in 2017 to protect consumers’ personal information, and it has since evolved to meet the changing landscape of data privacy. In 2022, PIPA underwent significant amendments through House Bill 962, strengthening its effectiveness and ensuring its relevance in the continually evolving digital environment.
Key Amendments of House Bill 962:
- Reduced Notification Window: One of the key amendments introduced by House Bill 962 is reducing the notification window for businesses to notify affected individuals in the event of a data breach. While PIPA required notification “as soon as reasonably practicable,” House Bill 962 stipulates a specific timeline, generally within 45 days after discovering the breach.
- Shortened Notification Period for Third-Party Data Handlers: Under PIPA, businesses that maintain computerized data “not owned or licensed” by them were required to notify the data owner or licensee within 45 days of discovering a breach. With House Bill 962, notification of a breach has been shortened to 10 days in this certain instance.
- Expansion of What Constitutes Personal Information: House Bill 962 broadens the definition of “personal information” to include genetic information, genetic tests, and related data. This expansion acknowledges the increasing relevance of genetic data in the digital age and the need to protect individuals’ genetic privacy.
- Use of Electronic Notifications: House Bill 962 recognizes the prevalence of electronic communication by allowing notifications to be sent electronically if individuals consent to receive them in this format. This aligns with the modern methods of communication prevalent in today’s digital world.
In summary, House Bill 962 is a significant amendment to Maryland’s PIPA, designed to strengthen data privacy protections and adapt to the changing landscape of digital information sharing. It imposes stricter timelines for breach notifications, expands the definition of personal information, and ensures that the costs associated with addressing data breaches do not burden affected individuals.
What Are the General Definitions of the PIPA?
PIPA includes several key definitions that form the foundation for understanding the legislation. Let’s explore these general definitions:
- Business: In the context of PIPA, a business refers to any entity, whether a sole proprietorship, partnership, corporation or any other business entity, organized to operate with or without the intent of making a profit. This definition is broad, encompassing various organizations, including financial institutions.
- Encrypted: This term signifies data protection in electronic or optical form using encryption technology, rendering the data indecipherable without the associated cryptographic key for decryption. Encryption is a fundamental security measure for safeguarding sensitive information.
- Health Information: PIPA defines health information as any data related to an individual’s medical history, medical condition, treatment, or diagnosis. It encompasses a broad range of medical and health-related details.
- Personal Information: This is a central concept in PIPA. Personal information includes an individual’s first or initial and last name and specific data elements. These data elements can include a Social Security number, driver’s license number, account numbers, credit card information, health-related data, and even biometric data used for authentication.
- Breach of the Security of a System: This term signifies the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business. It’s a key concept related to data breaches and triggers notification requirements.
What Is Personal Information Under PIPA?
PIPA, the Personal Information Protection Act, defines personal information as a fundamental concept within the legislation. Understanding what qualifies as personal information is important for businesses and individuals seeking to comply with PIPA’s regulations and protect sensitive data.
Personal information under PIPA encompasses many data elements and identifiers, all triggering significant privacy protections when combined with an individual’s name. Here’s a comprehensive breakdown of what constitutes personal information under PIPA:
- Individual’s Name: PIPA considers an individual’s first name or initial, combined with specific data elements and personal information. This inclusion underscores the legislation’s commitment to safeguarding even the most basic personal identifiers.
- Social Security Number (SSN): A Social Security number is a highly sensitive and unique identifier issued by the federal government. It is classified as personal information when combined with an individual’s name. Protecting SSNs is paramount to prevent identity theft.
- Driver’s License Number or State Identification Card Number: Driver’s license numbers and state identification card numbers are valuable personal information when associated with an individual’s name. Their compromise can lead to identity fraud.
- Account Numbers: PIPA recognizes various account numbers as personal information when combined with specific access credentials. This includes credit card numbers, debit card numbers, and any required security code, access code, or password that permits access to an individual’s financial account.
- Health Information: The legislation protects health-related data, including information about an individual’s mental health, health insurance policy or certificate numbers, and health insurance subscriber identification numbers. These details are considered personal information and require stringent security measures.
- Biometric Data: Biometric data, derived from automatic measurements of an individual’s biological characteristics, is a unique form of personal information. This includes fingerprints, voice prints, genetic prints, retina or iris images, or any other biologically unique characteristic that can be used for identity authentication.
- Usernames and Email Addresses: Personal information also encompasses usernames or email addresses when combined with corresponding passwords or security question-and-answer pairs that provide access to an individual’s email account.
- Genetic Information: PIPA acknowledges genetic information as a distinct category of personal information. This includes DNA, RNA, chromosomes, genes, alleles, genomes, alterations or modifications to genetic materials, single nucleotide polymorphisms, uninterrupted data from biological samples, and information extrapolated, derived, or inferred from genetic data.
This comprehensive definition of personal information ensures that various aspects of an individual’s identity and privacy receive the necessary legal safeguards under Maryland law.
What Is Not Personal Information Under PIPA?
While PIPA provides a comprehensive definition of personal information, it also outlines certain exceptions, detailing what does not qualify as personal information under the legislation.
Here are key categories of information that are not considered personal information under PIPA:
- Publicly Available Information: Information lawfully made available to the general public through federal, state, or local government records is not categorized as personal information under PIPA. This exemption acknowledges that data already in the public domain does not require the same level of protection.
- Consented Information: Information that an individual has expressly consented to have publicly disseminated or listed is excluded from the definition of personal information. When individuals willingly make certain details public, they do not fall under PIPA’s protections.
- HIPAA Compliance: Information disseminated or listed under the federal Health Insurance Portability and Accountability Act (HIPAA) is not considered personal information under PIPA. HIPAA governs the privacy and security of health information, and PIPA respects its existing regulations.
Who Does the PIPA Apply To?
PIPA isn’t exclusive in its reach.
It applies to various entities, including businesses, government agencies, and non-profit organizations. Whether you’re running a small e-commerce store, managing a local non-profit, or working within a government agency, PIPA’s provisions concerning personal information protection are relevant to you.
One common denominator among these entities is their interaction with the personal information of Maryland residents. PIPA isn’t concerned with your size or sector but with how you collect, store, or handle personal information.
So, if your business or organization deals with Maryland individuals’ data in any capacity, PIPA is a framework you must consider seriously.
How Can Businesses Comply With the Maryland Personal Information Protection Act?
1. Implement Robust Security Measures
As a business owner, it’s your responsibility to have comprehensive plans in place both for the event of a data security breach and for reasonable security measures to prevent such breaches. You must implement proactive steps and provide reasonable security measures to protect the personal information you collect, store, and manage.
It’s also important to keep your cybersecurity defenses current. This involves promptly patching software vulnerabilities, updating security protocols, and staying alert to emerging threats.
PRO TIP: Human error remains a common cause of breaches, so educate your team about security protocols and the best practices.
2. Ensure Timely Data Breach Notification
Understanding the ins and outs of the data breach notification requirements under PIPA and House Bill 962 is paramount.
Both PIPA and House Bill 962 share a common definition of a breach. A “Breach of the security of a system” is characterized as the unauthorized acquisition of computerized data, leading to a compromise in the security, confidentiality, or integrity of the personal information maintained by a business.
The law states that when you come across the information of a security breach where personal information may likely be compromised, you must conduct a prompt investigation to determine the likelihood of misusing personal information.
“Breach of the security of a system” excludes situations where personal information is acquired in good faith by an employee or agent of a business for legitimate business purposes, provided that this acquired personal information is neither used nor subjected to any further unauthorized disclosure.
Notification timelines after a security breach
Timely breach notification is an important data protection component under the Personal Information Protection Act and House Bill 962. PIPA dictates that the affected consumer must be notified within 45 days of discovering the breach.
However, House Bill 962 introduces an even more stringent requirement with a 45-day notification period but a shorter 10-day notification mandate for businesses that maintain personal information but do not own or license it. If your business falls into this category, you must notify affected individuals within 10 days of discovering a breach.
In certain situations, the notification required may be delayed for the following reasons:
- Law Enforcement Involvement: If law enforcement determines that notification will impede a criminal investigation or pose risks to national security, the notification may be delayed.
- Investigative Necessity: Delays may also occur if there is a need to assess the extent of the breach, identify affected individuals, or restore the system’s integrity.
Recipient of notifications
The affected individuals must be informed immediately, allowing them to take necessary actions to protect themselves from potential harm.
Before notifying affected individuals, businesses must provide notice of a breach to the Office of the Attorney General in Maryland. The notice should include the number of affected individuals residing in the state, a description of the breach, steps taken or planned by the business, and a sample notice.
The contents of the breach notification are essential to ensure affected individuals are adequately informed:
- Scope of the Breach: The notification must include a description of the categories of compromised information that were or are reasonably believed to have been acquired by an unauthorized person.
- Business Contact Information: Information about your business, including the address, telephone number, and toll-free number, should be provided.
- Consumer Reporting Agencies: The notification should include toll-free telephone numbers and addresses for major consumer reporting agencies.
- Government Contacts: Contact details for the Federal Trade Commission and the Maryland Attorney General should be included.
- Identity Theft Information: The notification should inform individuals where to obtain information on steps to avoid identity theft from these sources.
The legislation recognizes that different individuals may have varying contact preferences or availability. Therefore, notifications can be delivered through multiple methods. The choice of delivery method should align with the contact information available for affected individuals.
- Written Notice: This involves sending a written notice to the most recent address of the individual in your records.
- Electronic Mail: If an individual has explicitly consented to electronic notice or your business primarily conducts transactions online, electronic mail can be used for notification.
- Telephonic Notice: A telephonic notice should be delivered to the most recent telephone number of the individual in your records.
- Substitute Notice: Substitute notice may be used if your business lacks sufficient contact information for the above methods, if the cost of providing notice exceeds $100,000, or if the affected number of individuals to be notified exceeds 175,000.
Substitute notice is an alternative method of notifying affected individuals when the standard methods are impractical. Substitute notice consists of the following:
- Electronic Mailing: This involves electronically mailing the notice to individuals
- Website Posting: The notice must be conspicuously posted there if your business maintains a website.
- Media Notification: You are required to notify major print or broadcast media in geographic areas where the affected individuals are likely to reside.
Compliance with PIPA and House Bill 962 does not relieve a business from complying with other federal requirements related to personal information protection.
3. Maintain Detailed Records of Breach Activities
During certain instances when notification isn’t required, maintaining meticulous records of your breach investigation and determination is still a fundamental aspect of compliance with Maryland’s PIPA and House Bill 962. This practice is not just a best practice but a legal requirement under the legislation.
PIPA and House Bill 962 stipulate that businesses must keep these records for at least 3 years after determining a data security breach. These records serve as important documentation of your compliance efforts and can be invaluable in demonstrating that you have fulfilled your legal obligations should any questions or concerns arise.
Who Enforces the PIPA?
The Office of the Attorney General in Maryland is important in enforcing the Personal Information Protection Act (PIPA), serving as the primary oversight and enforcement authority for this crucial legislation.
One of the core responsibilities of the Attorney General’s office is conducting investigations related to breaches of personal information security. When data breaches occur, this office ensures that businesses and organizations subject to PIPA are thoroughly investigated to determine the extent and implications of the breach.
What Are the Penalties for Violating the PIPA?
Ensuring compliance with the Maryland Personal Information Protection Act is not just a matter of legal obligation. The consequences of non-compliance can be severe, encompassing legal actions, monetary fines, and reputational damage.
- Legal Consequences: PIPA protects individuals’ personal information from unauthorized access or data breaches. It defines non-compliance as an unfair or deceptive trade practice under the Maryland Consumer Protection Act, and businesses violating PIPA may be subject to legal actions initiated by the Maryland Attorney General’s Office.
- Monetary Penalties: One of the most significant repercussions of non-compliance is the potential for monetary penalties. These penalties, imposed by the Attorney General, can vary depending on the nature and severity of the violation, starting with civil penalties of up to $1,000 for the initial violation and a potential increase of up to $ 5,000 for subsequent violations.
- Reputational Damage: A breach of personal information can result in significant reputational damage. The loss of trust from customers and stakeholders can have long-lasting effects, impacting a business’s ability to attract and retain clients, and rebuilding trust after a data breach can be challenging and resource-intensive.
Examples of PIPA Violations
In November 2018, Marriott International, one of the world’s largest hotel chains, reported a massive data breach.
This breach exposed nearly 400 million guest records worldwide, making it one of the largest data breaches in history. Over four years, hackers gained unauthorized access to Marriott’s database, compromising sensitive information such as guests’ passport numbers and contact details.
In Maryland, a lawsuit was filed by consumers in response to this data breach, alleging violations of PIPA. The lawsuit, initiated on February 21, 2020, contended that Marriott had been negligent and failed to take adequate measures to protect consumers’ personal data from cyberattacks. The plaintiffs argued that these security lapses could have been prevented, potentially constituting violations of PIPA.
The U.S. District Court in Maryland had not yet ruled on this case. However, it’s essential to note that Marriott faced repercussions for the breach in other jurisdictions.
For instance, the UK’s Information Commissioner’s Office (ICO) imposed a substantial fine of £18.4 million (approximately $23.9 million) on Marriott for violations of the European Union’s General Data Protection Regulation (GDPR).
How Does the PIPA Compare to Other Data Privacy Laws?
Maryland’s Personal Information Protection Act (PIPA) is a significant legislation designed to safeguard the privacy and security of individuals’ personal data.
Several other U.S. states have data privacy laws, and while they share common objectives with PIPA, there are differences in scope and requirements.
For instance, California’s Consumer Privacy Act (CCPA) grants consumers certain rights over their data, allowing them to request access or deletion. In contrast, PIPA primarily concentrates on breach notification and security measures.
The EU General Data Protection Regulation (GDPR) is the European Union’s comprehensive data privacy framework. It grants individuals extensive control over their personal data, with rights to access, rectify, and erase their information, and also mandates stringent security measures and imposes hefty fines for non-compliance.
Canada also has the Personal Information Protection and Electronic Documents Act (PIPEDA), governing the private sector organizations’ collection, use, and disclosure of personal information. PIPEDA is known for its balanced approach to privacy, emphasizing the importance of consent, transparency, and reasonable security.
PIPA primarily addresses data breaches and security measures, while other laws, like GDPR, CCPA, and PIPEDA, have broader scopes, giving individuals more control over their data. GDPR, in particular, imposes substantial fines for violations.
Frequently Asked Questions
What is Maryland’s Personal Information Protection Act (PIPA)?
PIPA is a legal framework ensuring the security and protection of Maryland consumers’ personal identifying information, especially in the face of increasing data breaches and identity theft concerns.
Who does PIPA apply to?
PIPA applies to various entities in Maryland, including businesses, government agencies, non-profit organizations, and any other entities that collect, store, or handle personal information.
What constitutes “personal information” under PIPA?
Personal information includes an individual’s name and data elements like Social Security number, driver’s license number, account numbers, health information, biometric data, email addresses, and genetic information.
How can businesses ensure compliance with PIPA?
Businesses should implement robust security measures, ensure timely data breach notifications, maintain detailed records of breach activities, and understand the specific requirements of PIPA and House Bill 962.
Who is responsible for enforcing PIPA?
The Office of the Attorney General in Maryland is PIPA’s primary oversight and enforcement authority.
What are the consequences of violating PIPA?
Violations can lead to legal actions, monetary penalties of up to $5,000 for subsequent violations, and significant reputational damage.