NEW YEAR BEGINS WITH NEW PERSONAL INFORMATION
PROTECTION LAW IN MARYLAND
Effective January 1, 2008, all Maryland businesses –
both for-profit or not-for-profit – will be obliged
to ensure that personal information of Maryland residents
in their possession and the possession of third-party vendors
is adequately protected. The law will also require that
individuals be notified of a breach of security jeopardizing
their personal information.
Although an amendment to the Maryland
Consumer Protection Act, the Maryland
Personal Information Protection Act imposes obligations
on businesses that extend beyond the customer/business context.
The law also protects personal information that companies
maintain on any Maryland resident, which means it includes
applicants and employees. (Note that this E-lert does not
address the consumer protection aspects of the law, which
principally regulate the manner in which customer information
is destroyed.)
What is “Personal Information”
Under the Law?
For purposes of this law, “personal information”
is defined as non-redacted/non-encrypted information consisting
of an individual’s first name or initial and last
name combined with any of the following (1) social security
number; (2) driver’s license number; (3) financial
account number; or (4) taxpayer ID number.
What Businesses Are Covered?
The law applies to any “sole proprietorship, partnership,
corporation, association, or any other business entity,
whether or not organized to operate at a profit.”
Thus, any and all entities operating in Maryland must comply
with the law.
What Obligations Does the Law Impose on Businesses?
1. Implement And Maintain Security Measures: Businesses
must implement and maintain reasonable security measures
to protect personal information from unauthorized access,
use, modification, and disclosure. Later (for contracts
entered into on or after January 1, 2009) companies will
be obliged to ensure that contracts with non-affiliated
third parties (such as payroll services, background check
firms, accountants, and the like) implement and maintain
reasonable security measures for the personal information
that they receive from the companies. The law does not define
what is “reasonable” but states that the measures
should be appropriate to the nature of the information and
the nature/size of the operation.
2. Obligations When A Security Breach Is Suspected:
Businesses that maintain computerized data that includes
personal information must, upon discovery of a security
breach or receipt of information that a breach has occurred,
conduct a “good faith” and “reasonable
and prompt” investigation. If a breach is discovered
that has lead to misuse of personal information or is reasonably
likely to lead to such misuse, individuals must be notified
of the breach. If the company’s investigation concludes
that no breach occurred, it must maintain the records that
support its determination for three years.
3. Manner Of Notice To Individuals In The Event Of A
Breach Of Security: Notice is to be given to affected
individuals “as soon as practicable” after the
breach is confirmed. However, the notification may be delayed
if a law enforcement agency determines that the notification
would impede a criminal investigation or jeopardize homeland
security or if the company needs time to determine the scope
of the breach, identify the individuals impacted, or restore
the integrity of its system. The law also identifies several
modes of delivery for the notification, including written
notice, electronic notice, posting on the company’s
web site and other forms. The mode depends on factors such
as numbers of persons impacted, how individuals generally
authorize the company to communicate with them, the cost
of notification, and the like.
4. Enforcement And Remedies: The law is subject to
the enforcement and penalty provisions of the Consumer Protection
Act. This includes potential civil and criminal penalties
but, more significantly, provides an action for damages
in court by an individual to recover for whatever injury
or loss was caused by the prohibited act as well as attorneys’
fees in the court’s discretion. (The Consumer Protection
Act also authorizes the court to award the prevailing business
its attorneys’ fees if the court determines the action
was frivolous.)
What Actions Should Businesses Take
To Comply?
Companies should take measures to assess the adequacy
of their security of personal data, including the security
of personnel files and electronic personnel data. This may
require an audit of business procedures and may also require
that managers and others who have access to personal data
receive training. Because what is “reasonable”
is undefined by the law and likely will only be scrutinized
in an enforcement action, time and money spent in compliance
now may be well worth the expense if a lawsuit is filed.
The days of the unlocked file cabinet containing employment
applications and personnel folders should be long gone by
now.
Companies should also consider what actions would be taken
(and by whom) if breaches of the company’s various
systems were to be discovered. Establishing action plans
will help the company conduct the “reasonable and
prompt” investigation required by the law in the event
of a breach.
Finally, in anticipation of January 1, 2009, businesses
should begin to demand that vendors who receive applicant
or employee personal information confirm that they have
systems in place to ensure the security of the personal
information supplied to them by the company.
Shawe
Rosenthal, LLP provides this publication for informational
purposes, and it should not be construed or relied upon
as legal advice. You should contact your Shawe Rosenthal,
LLP lawyer to discuss any questions that you may have concerning
your own situation.
|
