Julia K. Kadish, Kari M. Rollins, and Liisa M. Thomas of Sheppard, Mullin, Richter & Hampton LLP write:
Maryland recently passed two companion bills amending the state’s Personal Information Protection Act. The bills modify the data breach notification requirements and scope of businesses subject to the data security requirements. The key changes are summarized below, and will go into effect October 1 of this year:
- Expanded scope of data security requirements: The requirement to implement and maintain “reasonable” security measures will also apply to businesses that maintain personal information of Maryland residents (and not just those who own or license such information).
- Expanded definition of personal information: The definition of genetic information has been revised and expanded. This change follows a similar update California made to its breach notification law.
Read more at The National Law Review.