Legal Bulletins

All businesses that have personal information of individuals who live in Maryland must adopt enhanced security practices and procedures by Jan. 1.

The new Maryland Personal Information Protection Act imposes information security, document disposal and data-breach protection requirements on all businesses in Maryland. It covers both employee and customer information, so every business in the state, regardless of size, is impacted. A violation of this law is an unfair or deceptive trade practice under Maryland law, which authorizes private lawsuits and hefty penalties.

Banks and other financial institutions have been subject to similar federal requirements for several years. In advising these clients, our experience shows that security breaches do happen -- but businesses can reduce or eliminate possible harm by adopting and following an up-to-date information security and data breach policy.

Under the act, personal information means an individual's first name or initial and last name in combination with one of several data elements -- Social Security numbers, driver license numbers and financial accounts that, with a security code, would permit unauthorized account access.

All Maryland businesses need to implement and maintain reasonable security procedures to protect their customers' personal information. If a business uses third-party vendors to provide its services and shares customer information, starting in 2009 it will need to incorporate the act's requirements in any written contract with the vendor. Also, when a business destroys customer records that contain personal information, it will need to take reasonable steps to make sure that, in doing so, the information does not fall into the hands of fraudsters.

Businesses also have to take quick action in the event of a breach. A breach occurs when there is an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the personal information maintained by the business.

You must determine the risk of harm to Marylanders whose personal information has been accessed through a prompt, good-faith investigation. If you conclude that misuse has occurred or is likely to, you must notify the affected Maryland residents as soon as possible. The notice may be delayed, however, if you have been told by law enforcement that giving notice will impede a criminal investigation or jeopardize national security. Once this risk has passed, you need to give the notice as soon as reasonably possible.

Notice may be delivered by mail, e-mail or telephone. A substitute notice option is available if the estimated cost of providing the notices will exceed $100,000 or more than 175,000 Maryland residents are affected.

Affected individuals will need to be told how they can get in touch with the three national credit reporting agencies, as well as how to obtain information from the Federal Trade Commission and the Maryland Attorney General on protecting against identity theft.

All businesses in Maryland should insure that their organization has an up-to-date information security and a data breach policy that incorporates the act's requirements. In the event of a data breach, act quickly to help minimize losses.