CMM Coverage News
IC Icon

Maryland Extends Data Breach Notification Requirements to Genetic Information

Posted on

On May 29, 2022, Maryland amended its Personal Information Protection Act (PIPA) to include genetic information in the definition of personal information. The amendments also reduce the data breach notification requirement from 45 to 10 days for businesses that maintain computerized data that includes personal information. The amendments become effective on Oct. 1, 2022.

Maryland Personal Information Protection

Maryland employers are under a legal obligation to protect any personal information they maintain. A general overview of the Maryland law on this topic is presented below.

Definition of Personal Information“Personal information” generally means:
An individual’s first name or first initial and last name combined with any of the following data elements, when they are not encrypted, redacted, or otherwise rendered unreadable or unusable: A Social Security number, individual taxpayer identification number, passport number, or other identification number issued by the federal government; A driver’s license or state i.d. card number;An account, credit card, or debit card number, combined with any required security or access code, or password, that permits access to an individual’s financial account;Health information;A health insurance policy or certificate number or health insurance subscriber identification number, combined with a unique identifier used by an insurer or self-insured employer, that permits access to an individual’s health information; orBiometric data generated by automatic measurements of an individual’s biological characteristics that can be used to uniquely authenticate his or her identity when he or she accesses a system or account;  A user name or email address combined with a password or security question and answer that permits access to an individual’s e–mail account; and Beginning Oct. 1, 2022, genetic information with respect to an individual. 
Destruction RequirementsWhen an employer is destroying an employee’s or former employee’s records containing his or her personal information, the employer must take reasonable steps to protect against unauthorized access to or use of the personal information, taking into account:
The sensitivity of the records;The nature and size of the employer;The costs and benefits of different destruction methods; andAvailable technology. 
Protection RequirementsAn employer that owns or licenses personal information of a Maryland resident must implement (and maintain) reasonable security procedures and practices appropriate to the nature of the personal information and the nature and size of the employer.
Security Breach Notification RequirementsAn employer that owns or licenses computerized datathat includes personal information of a Maryland resident must, when it discovers or is notified of a breach of system security, determine the likelihood that personal information has been (or will be) misused. If the employer determines that the breach creates a likelihood that personal information has been (or will be) misused, the employer generally must notify the individual of the breach within 45 days. In general, before giving the notification required above, an employer must provide notice of a breach to the state Attorney General. An employer that maintains, but does not own or license, computerized data containing personal information of a Maryland resident must, when it discovers or is notified of the breach of system security, notify the owner or licensee of the personal information of the breach within 45 days (10 days on or after Oct. 1, 2022). The employer must share information relative to the breach with the owner or licensee.  If an employer is required to give notice of a breach to 1,000 or more individuals, it generally must also notify each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis of the timing, distribution, and content of the notices.  
ExceptionsMaryland considers that a business is in compliance with the state law requirements described above if it complies with the notification, protection and destruction of personal information requirements of:
Rules established by its federal or state regulator, or Certain federal laws (including HIPAA) .Click here for more information, including additional exceptions and the methods and contents of notice.

 Please Note: The state laws summaries featured on this site are for general informational purposes only. In addition to state law, certain municipalities may enact legislation that imposes different requirements. State and local laws change frequently and, as such, we cannot guarantee the accuracy or completeness of the information featured in the State Laws section. For more detailed information regarding state or local laws, please contact your state labor department or the appropriate local government agency. 

Go Back