The Maryland Personal Information Protection Act, known as MPIPA, was amended in April of 2019, by House Bill (HB) 1154. The amended law went into effect on October 1st of 2019. Prior to the amendments, the law required (1) businesses that owned and licensed computerized data that includes personal information of Maryland residents, as well as (2) businesses that maintained (but did not own or license) such data, to notify, respectively, (1) individuals whose personal information has been or will be misused due to security breaches, and (2) owners or licensees of the breach of the security of a system. The amended Maryland Personal Information Protection Act imposes additional data breach investigation and reporting requirements.
What Additional Requirements Does the Amended Maryland Personal Information Protection Act Impose?
The amended Maryland Personal Information Protection Act imposes the following additional requirements:
- The Amended Maryland Personal Information Protection Act requires businesses that own, license, or maintain computerized data that includes personal information of an individual residing in the State, to conduct, in good faith, reasonable and prompt investigations to determine the likelihood that the personal information of an individual has been or will be misused as a result of a data breach.
- The Amended Maryland Personal Information Protection Act requires that if, after an investigation is concluded, the business determines that the breach of the security of the system creates a likelihood that personal information has been or will be misused, the owner or licensee of the computerized data that contains the personal information, must notify affected individuals of a breach.
- The Amended Maryland Personal Information Protection Act requires that businesses that incurred a breach of a security system, that are not the owner or licensee of the computerized data containing the personal information, MAY NOT charge the owner or licensee of that data a fee for providing information the owner or licensee needs to make a data breach notification.
- The Amended Maryland Personal Information Protection Act requires that owners and licenses of computerized data containing personal information, may not use information relative to the breach of the security of a system for purposes other than:
- Providing notification of the breach;
- Protecting or securing personal information;
- Providing notification to national information security organizations created for information-sharing and analysis of security threats, to alert and avert new or expanded breaches.