Maryland’s Personal Information Protection Act (PIPA) is best summarized by its alternate name: the Maryland Data Breach Notification Law. PIPA exists to ensure that companies not only protect consumers’ personal information, but also to ensure that consumers are quickly informed of any data breaches and can respond accordingly to minimize damages.

On May 29, 2022, a new set of revisions to PIPA passed. This set of updates, known as House Bill (HB) 962, expands on the already-existing breach notification requirements laid out in PIPA. Of course, the bill outlines that businesses must exercise robust security measures to protect data collected from Maryland citizens. HB 962 also mandates the following:

• Following a data breach’s discovery, businesses have 10 days to inform all affected consumers of risks to their personal data.
• Affected consumers must always be informed of a data breach, unless a detailed investigation can determine that the information is unlikely to be misused. (As an example: if all that was stolen was encrypted data impossible to decipher without a key, and the key was not compromised, the company can reasonably conclude that the data is not likely to be misused.)
• Before affected consumers are informed of a data breach, the business should inform the Attorney General. The notice to the AG should contain:
  • A detailed description of when and how the data breach occurred
  • How many people were affected
  • A list of what the company has done and/or plans to do in response
  • An explanation and sample of how the company plans to inform consumers of the breach

These additions to the Maryland Data Breach Notification Law will take effect on October 1, 2022.

If you’re a 4Comply user, updating your privacy compliance system to accommodate these new requirements is a piece of cake. Still have questions? Get in touch with us today and let our team of experts bring your system up to speed.