A Twist Within a New State Breach Notice Law: Maryland’s Also Requires Information Security Safeguards

Here’s something that you don’t see in other states…
On May 17, Maryland Governor Martin O’Malley signed into law two identical bills, one from the House and one from the Senate, that require businesses to notify state residents if their unencrypted or unredacted personal information, whether in electronic or paper form, is breached. In addition to mandating breach notification, the new law contains data security and data destruction requirements for companies doing business in the state.

So, even though these are two different bills that were signed, because the text was identical it is considered one law.
H.B. 208 and S.B. 194 defines personal information as an individual’s first name or initial and last name in combination with their unencrypted or unredacted Social Security number, driver’s license number, taxpayer identification number, or financial account information in combination with access codes or passwords.
Interestingly, information under the protection of the Health Insurance Portability and Accountability Act (HIPAA) is not considered “personal information.”
The new Maryland law contains a risk of harm threshold for when notification is required. A company must provide notice to individuals only if an investigation shows that “misuse of the individual’s personal information has occurred or is reasonably likely to occur.”
If a company determines that no notification is required it must retain information detailing its decision that the risk of harm threshold was not met for at least 3 years.
Besides just requiring breach notices, as most other state breach notice laws do, the new Maryland law also requires organizations to provide safeguards for personally identifiable information (PII).
Businesses that possess or destroy records with PII must take reasonable measures to prevent unauthorized access to that information.
And, as of January 1, 2009, businesses will also have to include these data protection requirements in their contracts with third party companies they use to maintain or destroy records.
I’m glad to see this law covers PII in paper form. Many significant incidents have occurred with PII on paper. However, the U.S. really needs a comprehensive federal data protection law to make protecting PII consistent throughout all the states and territories.

Tags: , , , , , , , , , ,

Leave a Reply