United States of America: Enacted Amendment to Maryland Personal Information Protection Act (Data Breach Notification Act)

On 29 May 2022, House Bill 962 to amend the Maryland Personal Data Protection Act (known as the Data Breach Notification Act) was enacted. The amendment will be implemented on 1 October 2022. The amendment enhances the scope of the bill to all businesses maintaining personal information of Maryland residents (previously only licensed businesses) and introduces stricter cybersecurity requirements. Specifically, businesses that maintain personal information of Maryland residents must introduce reasonable data security requirements and notify data subjects of data breaches within 45 days of discovery. In addition, the amendment specifies the content of data breach notifications to the Maryland Attorney General, including the number of affected data subjects, the nature of the breach, remedies taken by the company and how users were notified.