Maryland Governor Larry Hogan recently signed into law House Bill 1154 (the “Bill”), which amends the state’s data breach notification law. Among other obligations, the amendments expand the required actions a business must take after becoming aware of a data security breach.

Under the existing data breach notification law, a business that owns or licenses personal information and becomes aware of a data security breach must conduct a reasonable, prompt and good faith investigation to determine the likelihood that personal information has been or will be misused as a result of the breach. The Bill expands this investigatory requirement to apply expressly to all businesses that own, license or maintain the personal information of Maryland residents. The Bill also amends the notification obligation and provides that if notification to affected individuals is required based on the risk of harm, “the owner or licensee of the computerized data shall notify the individual of the breach.”

The Bill also provides that the owner or licensee of personal information cannot use information related to the breach of the security of a system other than to provide notification, protect or secure personal information, or provide notification to “national information security organizations created for information sharing and analysis of security threats, to alert and avert new or expanded breaches.” Additionally, if the business that incurs the security breach is not the owner or licensee of personal information, that business may not charge the relevant owner or licensee for information necessary to carry out the owner or licensee’s notification obligations under Maryland’s breach law.

The Bill does not change the timing requirement for notification of a data breach, which must be made to affected individuals within 45 days of when the business discovers or is made aware of the breach and to the Maryland Attorney General prior to the time notice is given to affected individuals. In addition, the Bill did not change the existing requirement that a business maintain documentation for three years if it determines that notice is not required because misuse of personal information has not occurred and is not likely to occur.

The relevant amendments take effect on October 1, 2019.