View all Articles

Maryland Extends Data Breach Notification Requirements to Include Genetic Information

On May 29, 2022, Maryland amended its Personal Information Protection Act (PIPA) to include genetic information in the definition of personal information. The amendments also reduce the data breach notification requirement from 45 to 10 days for businesses that maintain computerized data that includes personal information. The amendments become effective on October 1, 2022.

Personal Information Protection Act (PIPA)

The Personal Information Protection Act (PIPA), Md. Code Ann. Comm. Law 14-3504, was enacted to make sure that Maryland consumers’ personal identifying information is reasonably protected, and if it is compromised, they are notified so that they can take steps to protect themselves. PIPA contains provisions for notification of consumers in the event of a data security breach and for reasonable security measures to protect consumers’ personal identifying information.

Personal Information

Under PIPA, personal information includes any of the following when they are not encrypted, redacted or otherwise rendered unreadable or unusable:

  • A username or email address combined with a password or security question and answer that permits access to an individual’s email account;
  • An individual’s first name or first initial and last name combined with other data elements; and
  • Genetic information with respect to an individual (effective October 1).

For a detailed list of what qualifies as personal information under PIPA, employers can review the guidance published by the Maryland Office of the Attorney General.

Next Steps for Employers

Employers that own or license the personal information of a Maryland resident must implement (and maintain) reasonable security procedures and practices. These procedures and practices must be commensurate with the nature of the personal information and the nature and size of the employer.

Employers that determine a breach of system security has likely compromised personal information must first notify the Office of the Attorney General and affected individuals within 10 days of the breach.

HR Works, headquartered in Upstate New York, is a human resource management outsourcing and consulting firm serving clients throughout the United States for over thirty years. HR Works provides scalable strategic human resource management and consulting services, including: affirmative action programs; benefits administration outsourcing; HRIS self-service technology; full-time, part-time and interim on-site HR managers; HR audits; legally reviewed employee handbooks and supervisor manuals; talent management and recruiting services; and training of managers and HR professionals.