header image

MD State Regulations

QUICK FACTS

  • Breach reporting must be made to the Office of the Attorney General, prior to consumer notification.
  • There is specific information that must be included in consumer notifications.
  • Breach reporting to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis is required for breaches involving 1,000 or more individuals.
  • Failure to comply with breach notification requirements constitutes an unfair trade practice. Violations can incur cease and desist orders, arbitration, fines and penalties, injunctions or other relief.
  • Data owner’s written contract with vendors must guarantee the vendor’s implementation of security practices.
  • There are specific security requirements for handling social security numbers.
  • If a vendor is breached, they must report it to the data owner.  The data owner will be responsible to complete the reporting and consumer notification.
  • Vendors are prohibited from charging a fee to provide any necessary information to a data owner regarding a breach..
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.

STATUTES AND LAWS

  • MD COMM L CODE §§ 14-3501-3508 PERSONAL INFORMATION PROTECTION ACT
  • MD COMM L CODE §§ 14-3401-3402 THE SOCIAL SECURITY NUMBER PRIVACY ACT
  • MD COMM L CODE § 14-1318 CONSUMER PROTECTION PROVISIONS