CONTACT >

T: 415.617.9155

E: info@wordsbywit.com

© 2019 by Words by Witkowski.
Proudly created with Wix.com

ABOUT THE SITE >

This site is the personal page of Anthony J. Witkowski III. I am a recent graduate of Northeastern Law and the two projects are the result of two classes, Internet Law & Information Security Law, in the Fall Quarter of 2017. Please visit the About page for more recent work.

Code of Maryland §14-3501 et seq

Enacted:  1.1.2008 - 1.1.2018 (Brand New Amendments Edition!)

Type of Data Covered: Computerized or electronic data. 

Is Breach Defined?

Maryland's new amended statute includes the following definition in § 14-3504:

  • (a)  "Breach of the security of a system" defined. --  In this section:

    • (1)  "Breach of the security of a system" means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the personal information maintained by a business; and

    • (2)  "Breach of the security of a system" does not include the good faith acquisition of personal information by an employee or agent of a business for the purposes of the business, provided that the personal information is not used or subject to further unauthorized disclosure.

When is notice required?

As you would expect from a new statute, Maryland has perhaps the most clear and detailed statutory requirements in their data breach law, specifically §14-3504(b)-(k). Full statute is linked above but it is important to highlight that there is a 45 day reporting period unless some exception has been met. Notice is required for all residents affected by the breach and a copy must be given to the Attorney General's office and national credit agencies (if over 1,000 residents affected). Maryland also specifically asks for a description of the information that was lost, contact information for the business, a toll-free phone number to credit reporting agencies, the Federal Trade Commission and the AG's office, and finally a statement that these sources have information to help protect against identity theft.

What are the penalties for non-compliance?

Violations are one of the only segments of the statute that wasn't amended this year, §14-3508, which reads as follows: 

  • A violation of this subtitle:

    • (1)  Is an unfair or deceptive trade practice within the meaning of Title 13 of this article; and

    • (2)  Is subject to the enforcement and penalty provisions contained in Title 13 of this article.