- Maryland has updated its data breach notification law, with information protected under HIPAA to be included under the definition of personal information. Should that data be compromised in a data breach, state organizations will need to notify consumers.
The new provisions under the Maryland Personal Information Protection Act (HB 974) will go into effect on January 1, 2018.
Personal information currently includes an individual’s first name or first initial and last name combined with any of the following:
- Social Security number
- Driver’s license number
- Financial account number, including a credit or debit card number that, in combination with any required security code, access code, or password, would permit access to an individual’s financial account
- Individual taxpayer identification number.
The changes will now also include health information, or data created by a HIPAA covered entity regarding an individual’s “medical history, medical condition, or medical treatment or diagnosis. Health insurance policy, certificate number, or health insurance subscriber identification number – in combination with a unique identifier that permits access to the information – were also added to the personal information definition.
Biometric data (i.e., fingerprints, voice prints, genetic prints) was also added to the law, along with passport numbers, state identification card numbers, and a user name or email address in combination with a password or security question and answer to gain account access.
The timeframe for data breach notification was also updated, with state companies now needing to notify individuals “as soon as reasonably practicable, but not later than 45 days.” Previously it had been a 30-day timeframe.
“If after the investigation required…is concluded, the business determines that notification…is not required, the business shall maintain records that reflect its determination for 3 years after the determination is made,” the amendment reads.
Notification can be provided in the following ways:
- By written notice sent to the most recent address of the individual in the records of the business
- By electronic mail to the most recent electronic mail address of the individual in the records of the business
- By telephonic notice, to the most recent telephone number of the 6 individual in the records of the business
- By substitute notice as provided in subsection (f) of this section
Substitute notice can be given by electronic mailing, posting the notice on the business’ website, and media notification.
The updated law also amended Maryland’s record destruction requirement. Previously, only customer records were covered. The changes now include employee and former employee records containing personal information.
More states are working to update their data breach notification laws, especially in the wake of large-scale data breaches like Equifax.
New York Attorney General Eric T. Schneiderman introduced the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) to the New York legislature in early November 2017.
“New York's data breach notification law needs to be updated keep pace with current technology,” the bill’s summary states. “This bill broadens the scope of information covered under the notification law and updates the notification requirements when there has been a breach of data. It also broadens the definition of a data breach to include an unauthorized person gaining access to information.”
The legislation also includes information covered under HIPAA regulations, biometric data, and username-and-password combinations under its definition of personal information.
Assemblymember Brian Kavanagh was one of the bill’s sponsors, and said in a statement that data security practice deficiencies at big businesses have put millions of New Yorkers at risk.
“I am proud to work with Attorney General Schneiderman on this important legislation to require businesses to take appropriate steps to safeguard our data,” Kavanagh explained. “In this technological age, we cannot allow companies to be careless with our personal information. I look forward to working with Senator Carlucci and our colleagues in the legislature to enact this bill into law.”