Mandated Timeframe for Breach Reporting and/or Consumer Notification
Up to 45 days
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection/Security
Third Party: Specific Obligations
Third Party: Mandated Contracts
Requests for Information
Fines & Penalties
Violations of breach and notification laws:
- constitutes an unfair trade practice
Third Party Management
None to minimal
Breach reporting must be made to the Office of the Attorney General, prior to consumer notification.
There is specific information that must be included in consumer notifications.
Breach reporting to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis is required for breaches involving 1,000 or more individuals.
Failure to comply with breach notification requirements constitutes an unfair trade practice. Violations can incur cease and desist orders, arbitration, fines and penalties, injunctions or other relief.
Data owner’s written contract with vendors must guarantee the vendor’s implementation of security practices.
There are specific security requirements for handling social security numbers.
If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
MD Comm L Code §§ 14-3501-3508 Personal Information Protection Act
MD Comm L Code §§ 14-3401-3402 The Social Security Number Privacy Act
MD Comm L Code § 14-1318 Consumer protection provisions