Mandated Timeframe for Breach Reporting and/or Consumer Notification

Up to 45 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Third Party: Specific Obligations
  • Third Party: Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach and notification laws constitutes an unfair trade practice

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Third Party Management
  • Data Protection
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Breach reporting must be made to the Office of the Attorney General, prior to consumer notification.
  • There is specific information that must be included in consumer notifications.
  • Breach reporting to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis is required for breaches involving 1,000 or more individuals.
  • Failure to comply with breach notification requirements constitutes an unfair trade practice. Violations can incur cease and desist orders, arbitration, fines and penalties, injunctions or other relief.
  • Data owner’s written contract with vendors must guarantee the vendor’s implementation of security practices.
  • There are specific security requirements for handling social security numbers.
  • If vendor is breached, they must report it to the data owner.  The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • MD Comm L Code §§ 14-3501-3508 Personal Information Protection Act
  • MD Comm L Code §§ 14-3401-3402 The Social Security Number Privacy Act
  • MD Comm L Code § 14-1318 Consumer protection provisions
BAck to map