On May 29, 2022, the Maryland legislature enacted House Bill 962, which amends Maryland’s Personal Information Protection Act (the “Act”). The amendments update and clarify various aspects of the Act, including, but not limited to, the timeframe for reporting a data breach affected individuals, and content requirements for providing notice to the Maryland Attorney General.
House Bill 962 shortens the number of days data owners and licensors, and their service providers, have to report data breaches to affected individuals. Once the amendments become effective, data owners and licensors will be required to notify affected individuals within 45 days of discovering or being notified of a breach, rather than within 45 days of concluding their investigation into the breach, as was required by the previous version of the Act. In addition, the timeframe for service providers to notify data owners and licensors of a breach has been shortened from 45 days to ten days. The timeframe for a data owner or licensor to notify the Maryland Attorney General has not changed; notice to the Attorney General still must be made in advance of notice to affected individuals.
Similarly, in breaches where notification is initially delayed because law enforcement “determines that the notification will impede a criminal investigation or jeopardize homeland or national security,” data owners and licensors, and their service providers, will no longer have 30 days to notify affected individuals after law enforcement determines notification is acceptable. Now, data owners and licensors must make their required notifications within the original 45 day period, or within seven days thereafter if the 45 days already have elapsed, while service providers have seven days to do so.
House Bill 962 also provides specific content requirements for notification to the Maryland Attorney General. Notifications must include, at a minimum: (1) the number of affected individuals residing in Maryland; (2) a description of the breach, including when and how it occurred; (3) any steps the business has taken or plans to take relating to the breach; and (4) the form of the notice that will be sent to affected Maryland residents and a sample of that notice.
Other changes to the Personal Information Protection Act include clarifications to the definition of “genetic information” and to the substitute notice requirements. The amended Personal Information Protection Act will take effect on October 1, 2022.