Maryland Privacy Laws

Breach Notification

Mandated Timeframe

Within 45 days

Fines & Penalties

Violations

Constitutes an unfair trade practice

REGULATION LEVELS

Breach Reporting Consumer Notifications
Vendor Management Vendor Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Breach Notification

Mandated Timeframe

Within 45 days

Fines & Penalties

Violations

Constitutes an unfair trade practice

REGULATION LEVELS

Breach
Reporting
Consumer
Notifications
Vendor
Management
Vendor
Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Breach Notification

Mandated Timeframe

Within 45 days

Fines & Penalties

Violations

Constitutes an unfair trade practice

REGULATION LEVELS

Breach
Reporting
Consumer
Notifications
Vendor
Management
Vendor
Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Quick Facts

Maryland Privacy Law Information

  • Privacy Program

    Organizations must have measures in place for the secure disposal of personal information. Organizations must contract with Vendors to whom the Organization discloses personal information. Organizations and Vendors must implement and maintain reasonable security procedures and practices for protecting personal information. There are specific security requirements for handling social security numbers.

  • Breach Reporting

    Breach reporting must be made to the Office of the Attorney General, prior to consumer notification. Breach reporting to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis is required for breaches involving 1,000 or more individuals.

  • Consumer Notification

    There is specific information that must be included in consumer notifications.

  • Vendor/Third Parties

    Vendors must notify Organizations without delay, but no later than 45 days, after the discovery of a breach or suspected breach and provide the necessary information concerning the breach incident. The Organization will be responsible to complete any required regulatory reporting and consumer notification. Vendors are prohibited from charging a fee to provide any necessary information to an Organization regarding a breach.

  • Industry Specific Laws

    Maryland passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to breaches of security. Effective October 1, 2019, licensees must comply with breach notification requirements, including Commissioner notification within 45 days.

  • Fines & Penalties

    Organizations may be fined or penalized for Vendor violations. Failure to comply with requirements under the Personal Information Protection Act constitutes an unfair trade practice.

Maryland

Statutes and Laws