Maryland Amends Its Private Info Safety Act

On Might 29, 2022, the Maryland legislature enacted Home Invoice 962, which amends Maryland’s Private Info Safety Act (the “Act”). The amendments replace and make clear varied elements of the Act, together with, however not restricted to, the timeframe for reporting an information breach affected people, and content material necessities for offering discover to the Maryland Lawyer Normal.

Home Invoice 962 shortens the variety of days knowledge homeowners and licensors, and their service suppliers, should report knowledge breaches to affected people. As soon as the amendments grow to be efficient, knowledge homeowners and licensors will probably be required to inform affected people inside 45 days of discovering or being notified of a breach, moderately than inside 45 days of concluding their investigation into the breach, as was required by the earlier model of the Act. As well as, the timeframe for service suppliers to inform knowledge homeowners and licensors of a breach has been shortened from 45 days to 10 days. The timeframe for an information proprietor or licensor to inform the Maryland Lawyer Normal has not modified; discover to the Lawyer Normal nonetheless should be made upfront of discover to affected people.

Equally, in breaches the place notification is initially delayed as a result of legislation enforcement “determines that the notification will impede a prison investigation or jeopardize homeland or nationwide safety,” knowledge homeowners and licensors, and their service suppliers, will now not have 30 days to inform affected people after legislation enforcement determines notification is appropriate. Now, knowledge homeowners and licensors should make their required notifications inside the unique 45 day interval, or inside seven days thereafter if the 45 days have already got elapsed, whereas service suppliers have seven days to take action.

Home Invoice 962 additionally supplies particular content material necessities for notification to the Maryland Lawyer Normal. Notifications should embrace, at a minimal: (1) the variety of affected people residing in Maryland; (2) an outline of the breach, together with when and the way it occurred; (3) any steps the enterprise has taken or plans to take referring to the breach; and (4) the type of the discover that will probably be despatched to affected Maryland residents and a pattern of that discover.

Different adjustments to the Private Info Safety Act embrace clarifications to the definition of “genetic data” and to the substitute discover necessities. The amended Private Info Safety Act will take impact on October 1, 2022.