Maryland Modifies Provisions Regarding Personal Information Protection Act
Maryland has passed House Bill 1154 which modifies provisions of its Personal Information Protection Act. HB 1154 changes the applicability of some investigation and notification requirements for the owner or licensee of computerized data, and prohibits the charging of fees to an owner or licensee of data for information they require to comply with the notification requirements of the act.
Section 14-3504 of the Annotated Code of Maryland has been modified to require a business that maintains computerized data that includes personal information to conduct an investigation to determine the likelihood that personal information has been or will be misused as a result of the breach. Previously only a business that owned or licensed the data was required to conduct such investigation.
Additionally, the modifications to 14-3504 prohibit a business that incurs a data breach, but who is not the owner or licensee of the data, from charging the owner or licensee of the data a fee for providing information that the owner or licensee needs in order to make a notification of the breach pursuant to 14-3504(B)(2). The owner or licensee may only use the information obtained for the purpose of providing a notice of the breach, protecting or securing personal information, or providing notification to appropriate national information security organizations.
The provisions of HB 1145 are effective October 1, 2019 and the full text of the act may be found at: https://legiscan.com/MD/text/HB1154/2019
Adam Faria, JD, is a regulatory compliance consultant with CLA. He is a graduate of Northeastern University and earned his juris doctor at Suffolk University Law School. He is admitted to the bar in Massachusetts and New Hampshire.
Comments are closed.