Timing of Consumer Notification
Within 45 days after entity concludes investigation.
Method of Notice
Mail or phone. Email permitted if complies with E-SIGN.
Breach Definition
Unauthorized acquisition of computerized data that compromises security, confidentiality, or integrity of personal information maintained by a business.
PII Definition
Individual's first name or first initial and last name in combination with any of these when not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable:
  1. Social Security number, an Individual Taxpayer Identification Number, a passport number, or other identification number issued by federal government;
  2. Driver's license number or State identification card number;
  3. Account number, credit card number, or debit card number, in combination with any required security code, access code, or password, that permits access to individual's financial account;
  4. Health information, including information about individual's mental health;
  5. Health insurance policy or certificate number or health insurance subscriber identification number, in combination with unique identifier used by insurer or employer that is self-insured, that permits access to individual's health information; or
  6. Biometric data of individual generated by automatic measurements of individual's biological characteristics such as fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that can be used to uniquely authenticate individual's identity when individual accesses system or account; OR
User name or e-mail address in combination with password or security question and answer that permits access to individual's email account.
Third Party Notice
If data collector maintains covered information for someone else, it must notify them following discovery of breach.
How to Notify
Notification shall include:
  • Description of categories of information that were, or are reasonably believed to have been, acquired by unauthorized person, including which elements of personal information were, or are reasonably believed to have been, acquired;
  • Contact information for business making notification, including business' address, telephone number, and toll-free telephone number if one is maintained;
  • Toll-free telephone numbers and addresses for major consumer reporting agencies; and
  • Toll-free telephone numbers, addresses, and website addresses for FTC and Maryland Attorney General; and
  • tatement that individual can obtain information from these sources about steps individual can take to avoid identity theft.
Substitute Notice
All: (a) emailing notice to individual entitled to notification, if business has email address for individual to be notified; (b) conspicuous posting of notice on website of business, if it maintains one; and (c) notification to statewide media.
Credit Monitoring
Not required.
When to Notify Credit Agencies
If notice must be given to 1,000 or more Maryland residents.
This State's Law
If breach affects only email account, entity may provide notification in electronic or other form that directs individual whose personal information has been breached promptly to:
1. Change password and security question or answer; or
2. Take other steps appropriate to protect email account and all other online accounts for which individual uses same user name or email and password or security question or answer.
Notification cannot be sent to affected email account.
State Government Agency Notification Required
Yes, to Maryland Attorney General, before giving consumer notice.