On May 29, 2022, Maryland amended its Personal Information Protection Act (PIPA) to include genetic information in the definition of personal information. The amendments also reduce the data breach notification requirement from 45 to 10 days for businesses that maintain computerized data that includes personal information. The amendments become effective on October 1, 2022.
Personal Information Protection Act (PIPA)
The Personal Information Protection Act (PIPA), Md. Code Ann. Comm. Law 14-3504, was enacted to make sure that Maryland consumers’ personal identifying information is reasonably protected, and if it is compromised, they are notified so that they can take steps to protect themselves. PIPA contains provisions for notification of consumers in the event of a data security breach and for reasonable security measures to protect consumers’ personal identifying information.
Under PIPA, personal information includes any of the following when they are not encrypted, redacted or otherwise rendered unreadable or unusable:
- A username or email address combined with a password or security question and answer that permits access to an individual’s email account;
- An individual’s first name or first initial and last name combined with other data elements; and
- Genetic information with respect to an individual (effective October 1).
For a detailed list of what qualifies as personal information under PIPA, employers can review the guidance published by the Maryland Office of the Attorney General.
Next Steps for Employers
Employers that own or license the personal information of a Maryland resident must implement (and maintain) reasonable security procedures and practices. These procedures and practices must be commensurate with the nature of the personal information and the nature and size of the employer.
Employers that determine a breach of system security has likely compromised personal information must first notify the Office of the Attorney General and affected individuals within 10 days of the breach.