Maryland’s data breach reporting law becomes effective on October 1. Recently signed into law by Governor Larry Hogan, the new law adds insurers, nonprofit health service plans, health maintenance organizations, managed care organizations, managed general agents, and third-party administrators to the types of business mandated to report security breaches. The aforementioned licensees will be required to report breaches to the Compliance and Enforcement Unit at the Maryland Insurance Administration.
While the law expands the types of businesses under its scope, the reporting requirements remain the same. Businesses that maintain or license computerized data must conduct a “reasonable and prompt” investigation if the business discovers a potential breach. If the business finds that a misuse of personal information has occurred, or is reasonably likely to occur, the business must notify the affected individuals and the Maryland Insurance Administration of the breach and potential misuse of information.
On August 29, 2019, Maryland released Bulletin 19-14, further clarifying its position.
For more questions about Maryland data breach reporting requirements, or any inquiries regarding data security concerns, please contact Westmont Associates, Inc.