Maryland Expands Breach Notification Requirements
Starting in October 2019, Maryland’s breach notification law will be updated to place new responsibilities on businesses that maintain data, not just those that own or license it. This change means that vendors who store or manage personal information will now be required to conduct a "reasonable and prompt investigation" when there is a potential or actual data breach. Previously, only businesses that owned or licensed the data were required to investigate breaches, but this update expands that duty to include companies maintaining data on behalf of others.
This is a significant shift, especially since other states with breach notification laws, like Connecticut, Delaware, New Hampshire, and Wyoming, only impose this investigative obligation on data owners, not the vendors. In those states, vendors were generally only required to cooperate with the data owner’s investigation, or this responsibility would be outlined in the vendor’s contract. The Maryland update aligns vendors with data owners in their responsibilities, making it clear that those maintaining data will have a direct duty to assess potential misuse of personal information in the event of a breach.
For businesses that act as vendors and maintain data for others, this change requires careful attention. While data owners may welcome the additional layer of accountability placed on vendors, companies that maintain data now need to be prepared to quickly investigate any breach or suspected breach. This may involve evaluating whether the personal information at risk has been, or could be, misused and taking steps to mitigate any potential harm.
As a business, if you're maintaining data on behalf of another company, this update means you need to ensure you're not only cooperating with the data owner in breach situations but also conducting your own prompt investigations. Review your existing contracts and make sure they reflect the new duties that come with this change in law.
Vendors maintaining data for other businesses should take proactive steps to review and update their data security practices to align with Maryland's expanded breach notification law. Additionally, review contracts to ensure they clearly outline the new responsibilities related to breach investigations. By staying ahead of these legal changes, businesses can protect themselves from potential liabilities and ensure compliance with evolving data privacy laws.
© 2019 Cliclaw.com
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.