Data Points: Privacy & Data Security Blog

On May 29, 2022, Maryland amended the Maryland Personal Information Protection Act (PIPA). Effective October 1, 2022, the amendment (located here https://mgaleg.maryland.gov/2022RS/chapters_noln/Ch_502_hb0962E.pdf ) revises provisions regarding genetic information. These revisions include an undefined term “genetic information” for purposes of notices requires under PIPA. But the revisions also add a revised definition of genetic information as it applies to all other provisions of the law, including provisions requiring investigation into a data breach and the requirement that businesses implement and maintain reasonable security procedures and practices. Specifically, the revised definition includes data that results from the analysis of a biological sample of the individual or from another source that concerns genetic material and enables equivalent information to be obtained, DNA, RNA, genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms, and information extrapolated, derived or inferred from such data, unless the information is encrypted, redacted or otherwise protected by a method that renders the information unreadable or unusable. 

In addition, “health information” no longer is limited to information created by an entity covered by HIPAA. The PIPA amendments also (i) shorten the time period for notification of a data breach to 45 days after the business “discovers or is notified of the breach of a security of a system” instead of 45 days after conclusion of the investigation of an incident. The threat of harm exception to notice is modified to require notice of a breach unless the business “reasonably” determines that the breach of a security system “does not create” a likelihood that personal information has been or will be misused. Businesses who maintain personal information, but do not own or license the information, must provide notice to the owner of the breach within ten days after the business is notified or discovers the breach (shortened from the current 45 days). The amendment also reduces the time period for an owner of personal information to provide notice of a breach of a security system after a law enforcement delay, reducing the period to the shorter of seven days after the lifting of the law enforcement delay or the expiration of the original 45 day period. 

The amendment also includes specific information that must be included in the notice of breach to the Maryland Attorney General, including the number of affected Maryland residents, a description of the breach (including when and how it occurred), the steps the business took or plans to take relating to the breach, and the form notice to residents. The notice must be given prior to notifying the impacted residents.