QUICK FACTS
- Breach reporting must be made to the Office of the Attorney General, prior to consumer notification.
- There is specific information that must be included in consumer notifications.
- Breach reporting to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis is required for breaches involving 1,000 or more individuals.
- Failure to comply with breach notification requirements constitutes an unfair trade practice. Violations can incur cease and desist orders, arbitration, fines and penalties, injunctions or other relief.
- Data owner’s written contract with vendors must guarantee the vendor’s implementation of security practices.
- There are specific security requirements for handling social security numbers.
- If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
- Vendors are prohibited from charging a fee to provide any necessary information to a data owner regarding a breach..
- If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
STATUTES AND LAWS
- MD COMM L CODE §§ 14-3501-3508 PERSONAL INFORMATION PROTECTION ACT
- MD COMM L CODE §§ 14-3401-3402 THE SOCIAL SECURITY NUMBER PRIVACY ACT
- MD COMM L CODE § 14-1318 CONSUMER PROTECTION PROVISIONS
