This year has barely begun and already there’s something new in the world of state breach notification requirements. On Jan 1, 2018, revisions to the Maryland Personal Information Protection Act (HB 974) went into effect, adding more specificity to the state’s breach notification requirements.

Hitting on a few of our previously identified trends, the changes in HB 974 include an expanded definition of personal information and increased specificity in the notification timeline.

Overview: Maryland Personal Information Protection Act (HB 974)

Approved by the Governor May 4, 2017, Effective January 1, 2018

Additional reading:

Definition of personal information: Under the revised regulation, the definition of personal information in Maryland now includes:

  • State identification card number
  • Passport number or other identification number issued by the federal government
  • Health information, meaning any information created by an entity covered by HIPAA regarding an individual’s medical history, medical condition, or medical treatment or diagnosis
  • Health insurance policy or certificate number or health insurance subscriber identification number, in combination with a unique identifier used by an insurer or an employer that is self-insured, that permits access to an individual’s medical health information
  • Biometric data
  • Username or email address in combination with a password or security question that permits access to an individual’s email account

Breach notification timeline: Rather than notifying affected individuals “as soon as reasonably practicable,” entities regulated by the Maryland Personal Information Protection Act must now notify individuals no later than 45 days after a breach investigation has concluded.

Alternate compliance: Entities subject to and in compliance with HIPAA are now deemed to be in compliance with the Maryland breach notification statute.

What this means for privacy and security teams

The new year brings new challenges for privacy and security teams in Maryland. The changes to breach notification requirements in the state will require a close eye on privacy programs, incident assessments, and a refinement of your internal processes in order to keep up with the workload.

If you’re a RADAR customer, the RADAR regulatory team continuously tracks changes in data breach notification laws for you and ensures that any regulatory changes in data breach notification regulations are applied in RADAR prior to enforcement. Summaries of all data breach notification statutes, including this regulation, are available for reference within the RADAR Law Overviews.

Related blog posts: