Businesses Must Comply With New Data Protection Law, Starting January 1

By Michael W. Briggs

Gordon, Feinblatt, Rothman, Hoffberger & Hollander, LLC

Businesses that have personal information of individuals who live in Maryland must adopt enhanced security practices and procedures by January 1, 2008. The new Maryland Personal Information Protection Act (“Act”), to be codified at Md. Com. Law II §§ 14-3501-3508, imposes information security, document disposal and data breach protection requirements on all businesses in Maryland. Businesses also must protect against unauthorized access or use of personal information when destroying records. A violation of the Act is an unfair or deceptive trade practice under the Maryland Consumer Protection Act, which authorizes private actions and hefty penalties. To protect against liability, businesses must adopt a written information security and data breach policy. Experience shows that security breaches happen, and if a business has not adopted a written policy or does not follow its own policy, losses and potential liability are probable.

The Act applies to every business in Maryland, including law firms, and covers both customer and employee records. Banks and their affiliates may choose to comply with federal law in the alternative. “Personal information” means an individual’s first name or first initial and last name in combination with one or more of the following data elements, when the name or the data elements are not encrypted, redacted or otherwise protected by another method that makes the information unreadable or unusable: Social Security number; driver’s license number; individual taxpayer identification number; or a financial account number, including a credit or debit card number, that in combination with any required security code, access code or password, would permit unauthorized access to an individual’s financial account.

To protect against unauthorized access, all Maryland businesses need to implement and maintain reasonable security procedures to protect their customers’, clients’ and employees’ personal information. When destroying records that contain personal information, a business needs to take reasonable steps to insure that, in doing so, the information does not fall into the hands of fraudsters.

Under the Act, a breach means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the personal information maintained by the business. If someone does gain unauthorized access to personal information maintained by your client, company or firm, the client or you will need to conduct a prompt, good faith investigation to determine the likelihood that the personal information has been or will be misused, i.e., determine the risk of harm to the individuals whose personal information was acquired. If you conclude that misuse has occurred or is likely to, you must notify the affected Maryland residents as soon as possible. Notice may be delayed if requested to do so by law enforcement, but must be given as soon as law enforcement indicates it will not impede an investigation.

Notice may be delivered in three ways: by mail, by e-mail if the individual has expressly consented to receive electronic notices or the business operates primarily online, or by telephone. A substitute notice option, comprised of email, web posting and use of statewide media, is available if the estimated cost of providing the notices will exceed $100,000 or more than 175,000 Maryland residents are affected. Before the notices can be sent, the affected business must first notify the Maryland Attorney General.