Amended Data Privacy Law Goes Into Effect In Maryland On January 1, 2018

Maryland has amended its data privacy law. Stay on top of these new requirements to avoid expensive problems down the road.

Photo of Maryland's Amended Data Privacy Law
Maryland’s Amended Data Privacy Law

If holiday parties and New Year’s Eve were not enough to keep you up at night, the State of Maryland has given businesses a hangover that will last long beyond the holidays. Effective January 1, 2018, Maryland’s amended data privacy law imposes new requirements on businesses. The State says these new requirements may create a “potential[ly] meaningful” financial impact on Maryland businesses.

I am not going to detail all of the changes to the law in this post – look for them shortly.  However, below are a number of areas that businesses need to be concerned about going forward.

Important Maryland Data Privacy Provisions

  1. A “breach” no longer requires access of the personal information. Now, it only requires acquisition of that data, regardless of whether someone actually accessed them. This is potentially an important change, as it broadens the instances when a business must give notice.
  1. The definition of “Personal Information” has been expanded.
  1. Maryland businesses must “implement and maintain reasonable security procedures and practices.” However, when amending the law, the Maryland General Assembly refused to adopt a definition of this phrase for guidance. Thus, businesses must continue to monitor changes in both technology and the law, as courts and regulators will likely evolve their definitions over time.
  1. A business cannot delay acting when faced with a potential breach. Businesses must give notice of a breach as soon as practicable, but in no event later than 45 days after discovering the breach. Notice must now be given when the breach “creates a likelihood that personal information has been or will be misused.”
  1. The law has altered how notice of a breach may be given to an individual, in certain instances.
  1. The law applies to customers, as well as employees and former employees.
  1. Businesses that disclose personal information to unaffiliated third-party service providers must contractually require that these service providers implement and maintain reasonable security procedures and practices.

The risk of non-compliance can be expensive. So, if you want to sleep better this year, stay on top of Maryland’s amended data privacy law.  Spending a few dollars now may save you a small fortune in the future.

 

Author: Scott H. Marder

Scott H. Marder is an attorney, with more than 25 years’ experience. He helps clients find solutions to their complex business problems. As an early-adopter of technology, Mr. Marder’s practice includes the intersection of technology and law. He has written and lectured on technology-related issues, as well.