The Maryland Personal Information Protection Act has been updated and the new provisions are effective January 1, 2018.

The new law expands the definition of personal information that is protected under the statute. Presently, the definition of personal information includes a Maryland resident’s first and last name or initial and last name along with: a driver’s license number, Social Security number, financial account number, credit or debit card number (with a security code, expiry date or password that would allow the card to be used) or taxpayer identification number.

The new definition of personal information includes passport numbers, other federal government-issued ID numbers, state identification card numbers, any information covered by HIPAA Rules, biometric data, an email address in combination with a password or security question that permits access to the account, health insurance policy information, certificate numbers, or subscriber ID numbers in combination with an identifier that allows the information to be used.

In addition, the law requires individuals to be notified of a breach as soon as practicable, but no later than 45 days after discovery of a breach if the data is misused or if it is likely that it could be misused.

Consistent with other state data security regulations, companies are required under the new provisions to implement appropriate security measures to protect the data, including a written information security program, and to have flow down data security provisions in contracts with vendors which may have access to personal information.