Serving Maryland and Washington D.C. 301-870-1200

Amendments to the Personal Information Protection Act

Maryland has enacted revisions to the Personal Information Protection Act, otherwise known as House Bill 974, that will become effective January 1, 2018.

With identity theft on the rise, these revisions are important additions to the law. Under the modified act, the amendments expand the definition of personal information, modify the definition of breach of security, provide a 45-day period for notification, allow alternative notice for breaches that enable a person’s email to be accessed, and finally, expand the class of information subject to Maryland’s destruction of records laws.

Current Definition of Personal Information

Under the existing act, Md. Code Com. Law §14-3501, personal information is defined as a person’s first name or initial and last name combined with any of the following:

  • Social Security number or driver’s license number
  • Financial account number, including credit or debit card that, when combined with a security code, access code, or password, would permit access to someone’s financial account
  • Individual taxpayer number

Amended and Expanded Definition of Personal Information

The expanded definition of personal information now includes:

  • Passport numbers and other ID numbers issued by the federal government
  • State ID card numbers
  • Health information, including any info created by an entity covered by HIPAA regarding medical history, condition, treatment, or diagnosis
  • Health insurance policy, certificate number, or health insurance subscriber ID, in conjunction with unique identifier that permits access to the information
  • Biometric data, such as a fingerprint, voice print, retina or iris image, etc., that can be used to authenticate a person’s identity
  • User name or email address in combination with a password or security question and answer that permits access to an account

Under current law, any breach of security includes unauthorized access or retrieval of computerized personal information. The new amended law will remove the word “access,” which means breaches limited to unauthorized acquisitions.

Investigation and Notification

Any business that owns or licenses computerized data that includes personal information of a Maryland resident must in good faith conduct a reasonable and timely investigation to determine the chances of any personal information being misused as a result of a security breach. The new law amends the timeframe on when notification must be provided, setting a timeline of no more than 45 days after conclusion of the investigation. Also, a business must first provide notice of the possible breach to the Maryland Attorney General prior to giving required notice to the potential victim.

Records Destruction

The other part of the new law also expands the class of information that falls under Maryland’s record destruction rules. The active law only covers customer records while the new law will also include any records related to employees and former employees that contain personal information.

When to Hire a Personal Injury Attorney

Data breaches and the possibility of a subsequent identity theft can be terrifying and completely debilitating. If you think you are a victim of identity theft due to a negligent business leaking your personal information and data, it is important to contact an experienced Maryland personal injury attorney. Contact the Law Office of Robert R. Castro for a no-cost consultation with an experienced Charles County accident attorney at (301) 870-1200. We can help you navigate this difficult process and explain what recourse you have, including any potential for a class action lawsuit.