Amended Data Privacy Law Goes Into Effect In Maryland On January 1, 2018

Maryland has amended its data privacy law. Stay on top of these new requirements to avoid expensive problems down the road.

Photo of Maryland's Amended Data Privacy Law
Maryland’s Amended Data Privacy Law

If holiday parties and New Year’s Eve were not enough to keep you up at night, the State of Maryland has given businesses a hangover that will last long beyond the holidays. Effective January 1, 2018, Maryland’s amended data privacy law imposes new requirements on businesses. The State says these new requirements may create a “potential[ly] meaningful” financial impact on Maryland businesses.

I am not going to detail all of the changes to the law in this post – look for them shortly.  However, below are a number of areas that businesses need to be concerned about going forward.

Important Maryland Data Privacy Provisions

  1. A “breach” no longer requires access of the personal information. Now, it only requires acquisition of that data, regardless of whether someone actually accessed them. This is potentially an important change, as it broadens the instances when a business must give notice.
  1. The definition of “Personal Information” has been expanded.
  1. Maryland businesses must “implement and maintain reasonable security procedures and practices.” However, when amending the law, the Maryland General Assembly refused to adopt a definition of this phrase for guidance. Thus, businesses must continue to monitor changes in both technology and the law, as courts and regulators will likely evolve their definitions over time.
  1. A business cannot delay acting when faced with a potential breach. Businesses must give notice of a breach as soon as practicable, but in no event later than 45 days after discovering the breach. Notice must now be given when the breach “creates a likelihood that personal information has been or will be misused.”
  1. The law has altered how notice of a breach may be given to an individual, in certain instances.
  1. The law applies to customers, as well as employees and former employees.
  1. Businesses that disclose personal information to unaffiliated third-party service providers must contractually require that these service providers implement and maintain reasonable security procedures and practices.

The risk of non-compliance can be expensive. So, if you want to sleep better this year, stay on top of Maryland’s amended data privacy law.  Spending a few dollars now may save you a small fortune in the future.

 

3 Quick Tips To Improve Email Security

Do not hack.General counsel, IT professionals and CEO’s frequently lose sleep worrying about data security, including email security. Worldwide, people send approximately 205 billion emails each day! The average business user sends and receives 125 emails. Today, businesses rely on email for the majority of their communications, including those transmitting sensitive information.

Email was developed when the internet was a much smaller place. At that time, its inventors never intended that email become the primary form of business communication. As such, email security was not a concern.

A brief explanation of the internet illustrates why email is so vulnerable. During transmission, an email encounters multiple points of vulnerability along the internet. Once you hit the send button, your email travels through a series of switches and routers, likely owned and operated by different entities. Hackers can read your email if only one of these points is not secure. Scary stuff!

Consider how many of your emails contain sensitive information. For example, emails with outside counsel frequently contain non-public information about publicly-traded companies. Emails in employment cases often contain personally identifiable information or personal healthcare information. Hackers relentlessly pursue this type of information.

Now that you are properly frightened, what can you do? Short of instituting a system that encrypts all of your email with outside counsel, there are three easy ways that you can better secure your email.

3  Easy Ways to Improve Email Security

  1. Do not include sensitive data in the body of an email. Instead, include it only in an attachment, encrypted with a password. Microsoft Office makes it easy to encrypt documents. You simply go to File>Info>Protect Document and select Encrypt with Password. Next, create a password and press enter. You have now encrypted your document!
    How to encrypt a Microsoft Office document with a password.
    How to encrypt a Microsoft Office document with a password.

    Be sure to then send the password to the recipient in a separate email or, preferably, by voice or text. Otherwise, including the password in the same email as the attachment defeats the purpose of encryption!

  2. Encrypt PDF’s in Adobe Acrobat before sending them by email. To do this, open the PDF and choose Tools>Protect>Encrypt>Encrypt with Password. If you then see a box asking whether you want to change the security settings on the document, click yes. Next, click the box labeled, “Require password to open the document.” Then, enter a password at the top of the encryption box.

    Improve email security of a PDF document through encryption.
    How to encrypt a PDF document with a password in Adobe Acrobat.
  3. Although not as secure as encryption, a final method for securing a document sent by email is to zip the document and require a password to open the zip file. A variety of low cost or free programs are available online to add this feature. This approach does not provide encryption, but it is more secure than sending the document without any protection.

No method provides foolproof security.  Nonetheless, a little effort goes a long way to protecting your sensitive information and helping you sleep better.

Photo courtesy of Christoph Scholz on Flickr.