Understanding the Maryland Personal Information Protection Act: What You Need to Know
Data breaches are becoming more frequent and severe, with personal information stolen by hackers and rogue insiders being used for identity theft, credit fraud, and other criminal activities. To address this growing problem, many states in the US have enacted their own privacy statutes, with Maryland being one of the latest to do so. The Maryland Personal Information Protection Act, which came into effect on January 1, 2018, establishes requirements for businesses that collect, process, and store personal information of Maryland residents. In this article, we will explore the key aspects of the law and provide insights on how organizations can comply with its provisions.
Scope of the Law
The Maryland Personal Information Protection Act (PIPA) applies to any person or entity that conducts business in Maryland or owns or licenses personal information of Maryland residents, regardless of their physical location. Personal information is defined as an individual’s first name or first initial and last name in combination with one or more of the following data elements:
– Social Security number
– Driver’s license number or State-issued identification card number
– Account number, credit card number, or debit card number (in combination with any required security code, access code, or password)
PIPA also covers personal information of an individual’s dependents, such as their children or spouses. However, it does not apply to personal information that is lawfully obtained from publicly available sources or certain government databases.
Compliance Requirements
Under PIPA, businesses are required to take reasonable steps to safeguard personal information from unauthorized access, use, modification, or disclosure. Specifically, they must:
– Implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information and the size and complexity of the organization
– Notify affected individuals in the event of a breach of personal information as soon as reasonably possible, but no later than 45 days after discovery
– Notify the Maryland Attorney General if the breach affects more than 1,000 individuals
– Destroy or arrange for the destruction of personal information when it is no longer needed for a legitimate business purpose
Enforcement and Penalties
PIPA will be enforced by the Maryland Attorney General and can also be enforced by individuals who are affected by a violation of the law. The Attorney General may take legal action or enter into a settlement agreement with the responsible party to ensure compliance and obtain civil penalties of up to $10,000 per violation or $100,000 for a single breach that affects 10,000 or more Maryland residents. In addition, businesses that fail to comply with PIPA may face damage to their reputation, loss of customer confidence and trust, and legal liabilities arising from civil lawsuits.
Best Practices for Compliance
To comply with PIPA and protect personal information, businesses should follow these best practices:
– Conduct a risk assessment and establish a privacy and data security program that identifies and addresses potential threats and vulnerabilities
– Train employees and contractors on privacy and data security policies, procedures, and practices
– Limit the collection, use, and retention of personal information to what is necessary for legitimate business purposes
– Use encryption, firewalls, access controls, and other security measures to protect personal information from unauthorized access and use
– Conduct regular audits, assessments, and testing to ensure the effectiveness of the privacy and data security program
– Have a written incident response plan that outlines the steps to be taken in the event of a data breach
Conclusion
The Maryland Personal Information Protection Act is a significant step forward in protecting the privacy and security of personal information of Maryland residents. By complying with its requirements and following best practices for privacy and data security, businesses can protect their customers’ personal information, mitigate the risk of data breaches, and avoid legal penalties and reputational harm. It is important for organizations to take proactive measures to safeguard personal information and stay informed about changes to the privacy regulatory landscape.