The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.  

The information provided in the map is meant to serve as a helpful guide and is not intended to be legal advice. 

Back To Map
Rapid Response Hotline 877.382.2724

Maryland

Data Breach Notification Statute

Highlights

Covered Entities: A sole proprietorship, partnership, corporation, association, or any other business entity, whether or not organized or not organized to operate at a profit, including a financial institution organized, chartered, licensed, or otherwise authorized under the laws of Maryland, any other state, the United States, or any other country, and the parent or subsidiary of a financial institution that owns, licenses, or maintains computerized data that includes personal information of an individual residing in Maryland.

Consumer Notification: When there is a breach of personal information.

Regulatory Notification: To the Maryland Office of the Attorney General.

Notification Timeline: As soon as reasonably practicable but no later than 45 days after discovery or notification of the breach of the security of a system.

Data Format: Computerized data.

Citations: Md. Code Ann., Com. Law § 14-3501 et seq.

More Details

Definitions:

  • Breach: Breach of the security of a system means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business.
  • Personal Information (PI): 
    • An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable:
      • A Social Security number, an Individual Taxpayer Identification Number, a passport number, or other identification number used by the federal government;
      • A driver’s license number or State identification card number;
      • An account number, a credit card number, or a debit card number, in combination with any required security code, access code, or password, that permits access to an individual’s financial account;
      • Biometric data of an individual generated by automatic measurements of an individual’s biological characteristics such as fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that can be used to uniquely authenticate the individual’s identity when the individual accesses a system or account; or
      • Genetic information with respect to an individual for purposes of notifications required under § 14-3504(b)(2), (c), (d), (e), (f), and (g).
    • A username or e-mail address in combination with a password or security question and answer that permits access to an individual’s e-mail account.
  • Medical Information: Health information, including information about an individual’s mental health.
  • Health Insurance Information: A health insurance policy or certificate number or health insurance subscriber identification number, in combination with a unique identifier used by an insurer or an employer that is self-insured, that permits access to an individual’s health information.

Safe Harbors:

  • Encryption: Does not apply to information that is encrypted, redacted, or otherwise protected by another method that renders it unreadable or unusable.
  • Good Faith: A breach of the security of a system does not include the good faith acquisition of personal information by an employee or agent of a business for the purposes of the business, provided that the personal information is not used or subject to further acquisition.
  • Risk of Harm: Notification is not required if the entity, as soon as a potential breach is discovered or made known, conducts a reasonable, prompt, and good faith investigation, and determines that misuse of personal information has not and is not likely to occur as a result of the breach. The entity must maintain records of the determination in writing for three (3) years.
  • Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation or jeopardize homeland or national security.

Direct Notice:

  • Timing: As soon as reasonably practicable to determine the scope of the breach of the security of a system, identify the individuals affected, or restore the integrity of the system, but no later than fort-five (45) days after discovery or notification of the breach of the security of a system.
  • Format: N/A
  • Content: The notification shall include:
    • To the extent possible, a description of the categories of information that were, or are reasonably believed to have been, acquired by an unauthorized person, including which of the elements of personal information were, or are reasonably believed to have been, acquired;
    • Contact information for the business, including address, telephone number, and toll-free telephone number if one is maintained;
    • The toll-free telephone numbers and addresses for major consumer reporting agencies; and
    • The toll-free telephone numbers, addresses, and website addresses for the Federal Trade Commission and the Maryland Office of the Attorney General.
  • Method: By written notice sent to the most recent address of the individual in the records of the entity. By electronic mail to the most recent electronic email address of the individual in the records of the entity, if: (i) the individual has expressly consented to receive electronic notice; or (ii) the business conducts its business primarily through Internet account transactions or the Internet.

Substitute Notice:

Electronically mailing the notice if the entity has an electronic mail address for the individual to be notified; conspicuous posting of the notice on the website of the entity; and notification to a major print or broadcast media in the geographic areas where the individuals affected by the breach likely reside.

Remediation Services:

N/A

Regulatory Notice:

Prior to giving the notification required to consumers, a business shall provide notice of a breach of the security of a system to the Maryland Office of the Attorney General, which shall include, at a minimum, (i) the number of affected individuals residing in Maryland; (ii) a description of the breach of the security of a system, including when and how it occurred; (iii) any steps the business has taken or plans to take relating to the breach of the security of a system; and (iv) the form of notice that will be sent to affected individuals and a sample notice.

Credit Reporting Agencies Notice:

If a business is required to give notice of a breach of a security of system to 1,000 or more individuals, the business also shall notify, without unreasonable delay, each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis of the timing, distribution, and content of the notices.

Third-Party Notice:

A business that maintains computerized data that includes personal information of an individual residing in Maryland that the business does not own or license, when it discovers or is notified of a breach of the security of a system, shall notify, as soon as practicable, but not later than 10 days after discovery or notification of the breach of the security of a system, the owner or licensee of the personal information of the breach of the security of a system, and shall share information relative to the breach to allow the owner or licensee to provide notification of the breach, protect or secure personal information or provide notification to national information security organizations, to alert and avert new or expanded breaches.

HIPAA:

Compliance with the subtitle does not relieve a business from its duty to comply with other requires of federal law relating to the protection and privacy of personal information. Compliance with HIPAA is deemed to be compliance with the subtitle.

Private Action:

A violation of the statute is an unfair or deceptive trade practice within the meaning of Maryland’s Consumer Protection Act (Md. Code Ann., Com. Law § 13-101 et seq.), and is subject to the enforcement and penalty provisions of Title 13. A consumer who is subjected to a violation may file a complaint with the Division of Consumer Protection of the Maryland Office of the Attorney General.

Associated Regulations:

  • Insurance Data Security (Md. Code Ann., Ins. §§ 33-101 - 33-109)
  • Information Security Standard (Md. Com. Law Code §§ 14-3501 to 3503, 3507, 3508)
  • Md. Code Ann., Com. Law § 13-101 et seq.

Insurance Data Security Statute

Highlights

Covered Entities: An authorized insurer, a nonprofit health service plan, a health maintenance organization, a dental organization, a managed general agent, or a third-party administrator; not including a purchasing group or a risk retention group chartered and licensed in a state other than Maryland or a person that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

Security Standard: A carrier must develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information systems.

Consumer Notification: A licensee shall comply with the Maryland Personal Information Protection Act, Subtitle 35 of Title 14, as applicable.

Regulatory Notification: A licensee shall notify the Maryland Insurance Commissioner as promptly as possible but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred, when either of the criteria referenced below has been met.

Notification Timeline: As promptly as possible but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred.

Citations: Md. Code Ann., Ins. §§33-101 – 33-109.

More Details

Definitions:

  • Consumer: An individual, including an applicant, a policyholder, an insured, a beneficiary, a claimant, and a certificate holder, who is a resident of Maryland and whose nonpublic information is in a licensee’s possession, custody, or control.
  • Cybersecurity Event: An event resulting in unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on an information system, not including an event resulting in the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization; or an event with regard to which the licensee has reasonably determined that the nonpublic information accessed by an unauthorized person has not been and will not be used or released and has been returned or destroyed.
  • Licensee: An authorized insurer; a nonprofit health service plan; a health maintenance organization; a dental organization; a managed general agent; or a third-party administrator, not including a purchasing group or a risk retention group chartered and licensed in a state other than Maryland or a person that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
  • Nonpublic Information: Electronic information that is not publicly available information and is any of the following:
    • Business-related information of a licensee the tampering with which, or unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the licensee.
    • Information concerning a consumer that, because of name, number, personal mark, or other identifier, can be used to identify the consumer, in combination with one (1) or more of the following data elements:
      • Social Security number;
      • driver's license number or nondriver identification card number;
      • account, credit, or debit card number;
      • a security code, an access code, or a password that would allow access to a consumer's financial account; or
      • biometric records; or
    • Information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer that can be used to identify a particular consumer and that relates to:
      • the past, present, or future physical, mental, or behavioral health or condition of a consumer or a member of the consumer's family;
      • the provision of health care to a consumer; or
      • payment for the provision of health care to a consumer.

Regulatory Notice:

A licensee shall notify the Maryland Insurance Commissioner as promptly as possible but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information has occurred, when either of the following criteria has been met:

  • Maryland is the state of domicile of the licensee, and the cybersecurity event has a reasonable likelihood of harming a consumer residing in the State or any material part of the normal operations of the licensee; or
  • The licensee reasonably believes that the nonpublic information involved is of 250 or more consumers residing in Maryland and either of the following circumstances is present:
    • A cybersecurity event impacting the licensee has occurred for which notice must be provided to a government body, self-regulatory agency, or any other supervisory body under state or federal law; or
    • A cybersecurity event that has a reasonable likelihood of materially harming either a consumer residing in Maryland or a material part of licensee’s operations.

Content Requirements:

When notifying the Maryland Insurance Commissioner of a cybersecurity event, a licensee shall provide as much of the following information as reasonably possible:

  • The date of the cybersecurity event.
  • A description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any.
  • How the cybersecurity event was discovered.
  • Whether any lost, stolen, or breached information has been recovered and, if so, how this was done.
  • The identity of the source of the cybersecurity event.
  • Whether the licensee has filed a police report or has notified a regulatory, government, or law enforcement agency and, if so, when the notification was provided.
  • A description of the specific types of information acquired without authorization and, more specifically, particular data elements, such as types of medical information, types of financial information, or types of information allowing identification of the consumer.
  • The period during which the information system was compromised by the cybersecurity event.
  • The number of total consumers in Maryland affected by the cybersecurity event, with the licensee providing: the best estimate of this number in its initial report to the Commissioner; and an updated estimate of this number in each subsequent report to the Commissioner in accordance with this section.
  • The results of any internal review identifying a lapse in either automated controls or internal procedures were or confirming that all automated controls or internal procedures were followed.
  • A description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur.
  • A copy of the licensee’s privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event.
  • The name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.

Third-Party Notice Requirements:

N/A

Penalties:

In addition to any other sanction to which a licensee may be subject, a licensee that violates a provision of this title is subject to a penalty of not less than $100 but not more than $125,000 for each violation of this title.

Associated Regulations:

  • Md. Code Ann., Com. Law § 14-3501 et seq.

Information Security Standard

Highlights

Covered Entities: Any entity that conducts business in the state or that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information.

First Party Security Standard: To protect personal information from unauthorized access, use, modification, or disclosure, a business that owns, maintains, or licenses personal information of an individual residing in the State shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information owned, maintained, or licensed and the nature and size of the business and its operations.

Third Party Security Standard: A business that uses a non-affiliated third party as a service provider to perform services for the business and discloses personal information about an individual residing in the State under a written contract with the third party shall require by contract that the third party implement and maintain reasonable security procedures and practices that: are appropriate to the nature of the personal information disclosed to the nonaffiliated third party, and are reasonably designed to help protect the personal information from unauthorized access, use, modification, disclosure, or destruction.

Disposal/Destruction Standard: When a business is destroying a customer’s, an employee’s, or a former employee’s records that contain personal information of the customer, employee, or former employee, the business shall take reasonable steps to protect against unauthorized access to or use of the personal information, taking into account: the sensitivity of the records; the nature and size of the business and its operations; the costs and benefits of different destruction methods; and available technology.

Data Format: Electronic and Paper.

Citations: Md. Com. Law Code §§ 14-3501 to 3503, 3507, 3508

More Details

Definitions:

  • Personal Information (PI): An individual’s first name / first initial and last name in combination with one (1) or more of the following unencrypted data elements:
    • Social Security number, individual taxpayer identification number, passport number, or other identification number issued by the federal government;
    • Driver’s license number or state identification card number;
    • Account number, credit or debit card number, in combination with any required security code, access code, or password to permit access to an individual’s financial account;
    • Health information, including information about an individual’s mental health;
    • Health insurance policy or certificate number or health insurance subscriber identification number, in combination with a unique identifier used by an insurer or an employer that is self-insured, that permits access to an individual’s health information;
    • Biometric data of an individual generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that can be used to uniquely authenticate the individual’s identity when the individual accesses a system or account; or
    • For purposes of the notifications required under § 14–3504(b)(2), (c), (d), (e), (f), and (g) of this subtitle, genetic information with respect to an individual.

PI also includes a user name or e–mail address in combination with a password or security question and answer that permits access to an individual’s e–mail account or For the purposes of the requirements of this title other than the notifications required under § 14–3504(b)(2), (c), (d), (e), (f), and (g) of this subtitle, genetic information with respect to an individual when the genetic information is not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable.

PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records, information that an individual has contended to have publicly disseminated or listed, or information that is disseminated or listed in accordance with the federal Health Insurance Portability and Accountability Act.

  • Affiliate: A company that controls, is controlled by, or is under common control with a business described in subsection (c)(1) or (d)(1) of this section.

Methods of Compliance:

The statute does not define what constitutes reasonable security procedures and practices.

Exclusions:

A business that is subject to and in compliance with, or an affiliate that complies with:

  • Requirements for notification procedures, the protection or security of personal information, or the destruction of personal information under the rules, regulations, procedures, or guidelines established by the primary or functional federal or State regulator of the business shall be deemed to be in compliance with this subtitle.
  • § 501(b) of the federal Gramm–Leach–Bliley Act, 15 U.S.C. § 6801, § 216 of the federal Fair and Accurate Credit Transactions Act, 15 U.S.C. § 1681w, the federal Interagency Guidelines Establishing Information Security Standards, and the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, and any revisions, additions, or substitutions, shall be deemed to be in compliance with this subtitle.
  • The federal Health Insurance Portability and Accountability Act of 1996 shall be deemed to be in compliance with this subtitle.

Enforcement/Penalties:

Any person may bring an action to recover for injury or loss sustained by him/her as the result of a practice prohibited by this title. Any person who brings an action to recover for injury or loss under this section and who is awarded damages may also seek, and the court may award, reasonable attorney's fees.

Associated Regulations:

  • Md. Code Com. § 13-408.
Back to Page