Legislative Alert: Maryland Amends Data Breach Notification Law to Improve Incident Response
On April 30, 2019, Maryland enacted an amendment to Maryland’s Personal Information Protection Act (Md. Code Ann. § 14-3504), which becomes effective on October 1, 2019. The amendment was introduced in response to a rise in consumer complaints about identity theft. Reportedly, over one third of all identity theft complaints in Maryland are based on credit card fraud. After significant previous expansions to the statute, this time the Maryland legislature sought to revise existing law to address how businesses cooperate with each other in order to facilitate incident response.
Expanded Applicability to Investigation Requirement
The amendment effectively expands the applicability of the requirement to conduct a good faith, reasonable and prompt investigation to all businesses: businesses that own, license or maintain personal information. The amendment also provides that the obligation to investigate is triggered when a business discovers or “is notified that it incurred a breach of the security of the system.” For example, if a business uses a third-party vendor to maintain personal information of its clients or employees, in the event of a data breach, potentially both businesses may be required to conduct investigations.
Clarification on Notification Obligations
The amendment clarifies that the requirement of notification applies to “owners and licensees of computerized data,” not to the business that “maintains” it. Instead, the business that maintains the data is required to notify the data owner/licensee “as soon as practicable.”
Required Cooperation/Prohibition Against Charges and Other Use
Businesses that are not data “owners or licensees” and, thus, not subject to the notification requirement, are prohibited from charging the owner or licensee a fee for necessary information related to breach notification. This will impact in particular smaller business vendors that will have to conduct investigations as well as share incident information with the data owner/licensee at their own cost.
The amendment also prohibits data owners and licensees from using information related to a breach of the security of a system for any purpose other than (1) providing notification, (2) protecting personal information, or (3) providing notification to national information security organizations for information sharing. Unclear is what implications, if any, this provision will have on potential indemnity rights of the data owners/licensees against the business that maintains the data.
In sum, the amendment requires all businesses to conduct reasonable and prompt investigations following a data breach. However, while the business that maintains the data has to report to the data owner/licensee, the duty to notify consumers and other regulators lies with the data owner/licensee. The amendment also attempts to increase cooperation by protecting the exchange of information relative to a breach and by prohibiting fees for necessary information to enable notification. The goal of higher cooperation between businesses is improved incident response and, ultimately, strengthened consumer protection.
The statutory changes should prompt affected businesses to review and potentially update contractual provisions and policies & procedures. In addition, businesses should review their financial risk mitigation options and consider, for example, cyber insurance. Lastly, the responsibilities outlined in the revised statute emphasize the importance of incident response planning for businesses of any size.