Impacts of revised Maryland data breach law
How data breaches are defined and handled in Maryland changed in the new year. The Maryland General Assembly recently amended the Maryland Personal Information Protection Act, effective Jan. 1. Revisions to the law include:
- Adding a definition for “Health Information” and significantly expanding the definition of “Personal Information”
- Modifying the definition of “Breach of the security of a system” and
- Incorporating a 45-day timeframe within which to provide notification of a breach
Under the previous version of the law, a breach included an unauthorized access or acquisition of computerized data. The revised Act removes “access,” thereby limiting a breach to the unauthorized acquisition of computerized data.
In addition, the law now includes an exception for Health Insurance Portability and Accountability Act (HIPAA)-covered entities. If your agency is subject to and in compliance with HIPAA when providing notification of a breach, you also will be deemed compliant with the Maryland law.