Adam Connolly
Anne Fox

Beginning January 1, 2008, a new Maryland law takes effect that requires businesses of all sizes, both for profit and nonprofit, to implement protection, investigation, and notification procedures in connection with personal information (PI) they maintain on Maryland residents. The law, known as the Maryland Personal Information Protection Act (PIPA), follows the adoption of similar legislation in more than 30 other states. Businesses that are subject to and in compliance with certain federal laws (e.g., the Gramm-Leach-Bliley Act) are deemed to be in compliance with PIPA as well.

PIPA defines PI as an individual's name in combination with other identifying information, including a social security number, driver's license number, financial account number, or individual taxpayer identification number, if the individual's name or identifying information is not encrypted, redacted, or otherwise unreadable or unusable. The following types of identifying information are excluded from the definition of PI: publicly available information, information that an individual has consented to have publicly disseminated or listed, and information disseminated or listed in accordance with HIPAA (Health Insurance Portability and Accountability Act).

Protection of PI during destruction of customer records
When a business destroys customer records that contain PI, it must take "reasonable steps" to protect the PI from unauthorized use or access, taking into account factors such as the sensitivity of the records; the business's nature, size, and operations; the costs and benefits of different destruction methods; and available technology. For instance, simply deleting digital records containing PI from a hard drive may not be a "reasonable step" if they can be readily "un-deleted" or retrieved. In such cases, the use of more thorough destruction methods likely would be required depending on the factors described above.

Implementation and maintenance of reasonable security procedures and practices
Businesses that own or license PI of Maryland residents also must "implement and maintain reasonable security procedures and practices" to protect the PI from unauthorized access, use, modification, or disclosure. PIPA does not define "reasonable security procedures and practices." Instead, businesses must develop procedures and practices based on the nature of the PI owned or licensed and their own nature and size as well as the nature and size of their operations.

Contracts with nonaffiliated third party service contractors
After January 2009, a business that discloses PI about Maryland residents to a third party service provider pursuant to a written contract must require the third party service provider, by contract, to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the PI disclosed and are reasonably designed to protect the PI from unauthorized access, use, modification, disclosure, or destruction. For instance, a business could include a contractual provision similar to the following, which should be modified to fit the specific details of the parties and personal information involved: "[Third party] agrees to comply with the Maryland Personal Information Protection Act. [Third party] agrees that it will implement and maintain reasonable security procedures and practices that are appropriate to the nature of the [personal information it receives from the business] and are reasonably designed to protect [such information] from unauthorized access, use, modification, disclosure, or destruction."

Investigation and notification of a breach of the security of a system
For businesses that own or license computerized data that contain PI of Maryland residents, PIPA requires "reasonable and prompt investigation" of any breach of the security of a system (defined as "any unauthorized acquisition of data that compromises the security, confidentiality, or integrity of the [PI]"). The purpose of the investigation is to determine the "likelihood that the [PI] has been or will be misused as a result of the breach." PIPA does not provide details on methods for investigation or how to determine the likelihood of misuse.

If the business determines that misuse has or is reasonably likely to occur based on the breach, it must notify not only the individuals whose PI is affected but also the Office of the Attorney General of Maryland. If there are more than 1,000 individuals involved, the business must also notify the consumer reporting agencies. PIPA prescribes the methods for giving notice and the required elements of the notification. Even a business that determines notification is not required must maintain records of its analysis for 3 years.

Consequences for noncompliance
The consequences for failure to comply with PIPA may be significant. PIPA violations are unfair or deceptive trade practices under Maryland law and subject to the enforcement and penalty provisions of the Consumer Protection Act. The Consumer Protection Act provides for a private right of action and attorneys' fees for consumers who suffer damages. It also permits consumers to file complaints with the Consumer Protection Division (the "Division") of the Maryland Attorney General's Office, which investigates the complaints and takes further action, including issuance of a cease and desist order, issuance of an order to pay restitution, and/or recovery of civil penalties and costs. Civil penalties range from $1,000 per violation for first violations to $5,000 per violation for subsequent violations. Violators are also subject to possible criminal penalties, including fines and/or imprisonment for up to one year.

Conclusion
Deciding how best to comply with PIPA will be a challenge for businesses due to its vague language and the lack of interpretive guidance available at this time. However, there are a number of steps that businesses can take to prevent and prepare for data security breaches, including:

• Identifying the PI that is currently maintained
• Using adequate data storage, security, encryption, and destruction methods
• Restricting employee access to PI
• Training employees in handling PI
• Adequately destroying PI that is no longer needed
• Developing a privacy policy
• Establishing a security breach response plan
• Establishing a security breach response team consisting of administrative, IT, legal and communications personnel.

If you have questions about how PIPA may affect your business, please contact:

Anne Fox
410 951 1418
afox@gejlaw.com

or

Adam Connolly
410 951 1420
aconnolly@gejlaw.com





This Legislation Update has been prepared for general informational purposes only and is not intended to offer legal advice or counseling. You should not act upon information contained in this Legislation Update without the advice and counseling of a lawyer familiar with your particular factual situation.
Copyright © 2007 by Gallagher Evelius & Jones LLP