The General Assembly passed legislation (SB 194/HB 208) stating the responsibility of businesses to safeguard personal information of customers and when and how to notify customers in the event of a security breach of data. This bill will affect every business in Maryland that maintains personal information of customers. “Personal information” means an individual’s first initial or name and last name in combination with a social security number, driver’s license number, financial account number (such as a credit card) or taxpayer identification number. The bill is effective January 1, 2008 and requires:

• Businesses to take “reasonable steps” to prevent unauthorized access when destroying documents containing personal information of customers;
• If a security breach of computerized data occurs of personal information of customers, a business must immediately investigate if misuse is likely;
• If yes, the business must notify the Attorney General’s office first, then each individual as soon as reasonably practical;
• Detailed requirements for method and form of notification;
• Sanctions in the form of fines and lawsuits if a business fails to comply;
• Companies that comply with similar requirements of a federal or state regulator (such as banks) are deemed in compliance.

See a copy of the bill online here. Contact Ron Wineholt for further information at rwineholt@mdchamber.org .