Maryland's PIPA - Personal Information Protection Act

Maryland's Personal Information Protection Act ("PIPA") is a privacy law that became effective on January 1, 2008. It's also known as Maryland's Data Breach Notification Law. Since 2008, a series of amendments were passed that revised and enhanced the definitions of private information to include biometric data.

State legislators wrote PIPA to ensure that the personal, identifying information of Maryland consumers was "reasonably protected." If that data is compromised, PIPA demands that businesses notify consumers in case of a security breach so that they can protect themselves.

In essence, PIPA places legislative obligations on businesses to keep the personal information of Maryland consumers secure and private. This article will explore those obligations and what you can do to comply.

Who Must Abide by PIPA's Rules?

In order to know whether your business falls under the regulations outlined in PIPA and whether you have to abide by its rules concerning biometric data, it's important to understand the law's definitions.

This is because House Bill 1154 went into effect on October 1, 2019 and amended PIPA's rules regarding covered businesses. PIPA defines "business" as:

(b)(1) "Business" means a sole proprietorship, partnership, corporation, association, or any other business entity, whether or not organized to operate at a profit.

(2) "Business" includes a financial institution organized, chartered, licensed, or otherwise authorized under the laws of this State, any other state, the United States, or any other country, and the parent or subsidiary of a financial institution.

Before House Bill 1554 came into effect, businesses that licensed or owned the private information of Maryland residents were required to carry out a good faith investigation that was both prompt and reasonable. This investigation was to establish the likelihood of whether personal information might have been taken and misused as the result of a data security breach.

Now, however, businesses that license, own, or maintain the personal information of Maryland residents are subject to PIPA's regulations, regardless of the size of the business.

To sum it up, if your company does business in the state of Maryland (whether or not your business is located in the state) and you own, license, or maintain the private information of Maryland based consumers then you must abide by PIPA's statutes.

What is Personal Information Under PIPA?

In 2017, PIPA was amended by House Bill 974. The amendment updated and added to PIPA's definitions of private information.

The current definition of personal information includes:

• Biometric data, which includes things such as a retina or iris image, a voice print, fingerprint, genetic print, or other biological characteristics unique to an individual that can be used for authentication purposes when someone accesses an account or system.
• An email address or user name in combination with a security question and answer or a password, which allows access to an account.
• A health insurance policy, health insurance subscriber identification number, or certificate number together with a unique identifier, which allows access to the data.
• Health data, which is defined as information created by an entity under the authority of HIPAA concerning an individual's diagnosis, treatment, condition, and medical history.
• Passport numbers and other numbers issued as identification by the federal government.
• State identification card numbers
• Social Security Number
• Driver's license number
• Credit card, debit card, or financial account numbers in combination with a password, access code, or security code that would allow access to an individual's financial account
• Taxpayer identification numbers

What Isn't Personal Information Under PIPA?

It's possible that a business may obtain and use information that isn't covered by PIPA and thus has no obligations concerning it when it comes to security breaches.

This kind of data includes:

• Any data that is listed or disseminated under the federal Health Insurance Portability and Accountability Act (HIPAA)
• Data that individuals have consented to have publicly listed or disseminated
• Publicly available data, which is provided through local, state, or federal government records

What is a Security Breach Under PIPA?

Under Maryland's biometric data protection law, a security breach is defined as the acquisition of computerized information in an unauthorized fashion. This means the data is compromised by a breach in the confidentiality, integrity, and security of that personal information.

Complying With PIPA's Regulations

Notification

If there is a security breach where personal information may have been compromised, and there could be a threat to a Maryland consumer if misused, a business must notify the affected individuals.

Additionally, businesses must:

• Conduct a prompt investigation to decide of the compromised information has been, or is likely to, be misused (e.g.; such as in identity theft).
• If the determination is made that the consumer's data might be misused, the business is obligated to notify those affected by the breach.
• Notice must be given to affected consumers within 45 days.
• Delays in notification are acceptable if necessary to restore integrity to the breached system, identify all affected consumers, determine the scope of the breach, or if requested by law enforcement.
• Notice to consumers must be made in writing. Additionally, the notice must be sent to the individual's most recent address, or by telephone to the most recent telephone number.
• If the consumer has consented to receiving emails from the business, or if the company does most of its business online, then it is acceptable to send the notice electronically over the internet.
• If the number of consumers is over 175,000 people or if the cost of mailing exceeds $100,000, then businesses are allowed to provide notice of a security breach by posting on its website, via email, and by giving notice to statewide media.
• If providing notice electronically, the business must instruct the affected individual to change answers to security questions and answers as well as any passwords they have.
• If providing notice electronically, the business must instruct the affected individual to take the same sort of protective measures for other account wherein they may have used the same usernames, passwords, or answers to security questions.

What Must a Security Breach Notice Include?

In order to be compliant, businesses must include the following in notices of a security breach:

• A description of all compromised information
• The business's contact information, which must include a toll-free number if available
• The addresses and toll-free numbers of all three major credit reporting agencies: TransUnion, Experian, and Equifax
• The websites, addresses, and toll-free numbers for the Maryland Office of the Attorney General (OAG) and the Federal Trade Commission (FTC)
• A statement, which clarifies that the affected consumer can acquire information from the OAG and FTC about how to prevent identity theft

The following is just an excerpt of a data breach notice. While it doesn't contain all of the specifics required by PIPA, it's a good starting point:

Before sending notices to Maryland consumers, businesses must:

• Notify the OAG
• Briefly describe the nature of the security breach
• State what type of information has been compromised
• Provide information as to how many affected consumers are being notified
• Attach a sample copy of the notice that is being sent to affected individuals
• Describe all steps the business is taking to restore system integrity

It should be noted that if a business is compliant with the Gramm-Leach-Bliley Act, it is also considered compliant with PIPA.

Violations of PIPA

Any violations of PIPA are considered to be deceptive or unfair trade practices under Maryland's Consumer Protection Act. This makes violations a criminal offense.

Consumers who feel that a business has violated PIPA may file a complaint with Maryland's Attorney General. A cease and desist order may be issued, and the Attorney General may also levy civil penalties up to $1,000 for the first violation. Any violations after that could result in financial penalties of up to $5,000.

Maryland also allows a private right of action wherein they can sue to recover their injuries or losses. They can also recover the fees of their attorneys.

An Example of a PIPA Violation

A major lawsuit brought before the United States District Court for the District of Maryland was filed by consumers against the Marriott International, Inc. after one of the largest data breaches in history.

In November of 2018, a data breach was reported by Marriott wherein almost 400 million guest records were exposed worldwide. It was discovered that over the course of four years, hackers stole personal information such as passport numbers and contact information from Marriott's database.

In Maryland, the lawsuit was brought by consumers alleging violations of PIPA. The lawsuit was filed on February 21, 2020.

The plaintiffs in the case alleged that the Marriott was irresponsible and neglected to take the necessary steps to protect their personal data from a cyber-attack, which could have been prevented.

The US District Court in Maryland hasn't ruled on the case yet, but the Marriott has already been fined by the UK's Information Commissioner's Office (ICO). The Marriott was forced to pay £18.4 (approximately $23.9 million) for violations of the EU General Data Protection Regulation (GDPR).

Other Biometric Privacy Laws in Maryland

Biometric data is listed as just one aspect of personal information that must be protected under PIPA.

However, there are two other laws that specifically focus on biometric information in Maryland.

The first is called "Commercial Law - Consumer Protection - Biometric Identifiers and Biometric Information Privacy." It made its way through Maryland's House of Representatives at the beginning of 2020.

House Bill 307 requires:

"...private entities in possession of biometric identifiers or biometric information to develop a written policy, made available to the public, establishing a certain retention schedule and guidelines for permanently destroying biometric identifiers and biometric information; prohibiting a private entity from being required to make publicly available a certain policy; requiring each private entity in possession of biometric identifiers or biometric information to comply with certain schedules and guidelines; etc.

The second is House Bill 1202 and is called "Labor and Employment - Use of Facial Recognition Services - Prohibition." This legislation has already passed and went into effect on October 1, 2020.

This law forbids employers from using a facial recognition service to create facial templates during a job applicant's interview unless the business has gained the applicant's consent.

The definition of "facial recognition service" is "technology that analyzes facial features and is used for recognition or persistent tracking of individuals in still or video images."

The definition of "facial template" is "the machine-interpretable pattern of facial features that is extracted from one or more images of an individual by a facial recognition service."

Interestingly, surveillance footage of an applicant's face or images taken with security-badge cameras go unmentioned.

In any case, as suggested above, employers may use this biometric technology if they acquire the consent of the applicant. Applicants give consent by signing a waiver.

The waiver must provide in "in plain language" the following:

• The name of the applicant
• The date of the interview
• That the applicant consents to the use of facial recognition during the interview
• Whether the applicant consented to the waiver

Many businesses across America now use facial recognition technology and artificial intelligence to evaluate job applicants. Maryland's new law aims to make sure that applicants are aware when employers plan to use facial recognition technology.

The reasoning behind the legislation is that while those selling the technology promote it as a means of removing bias from the hiring process, others suggest that the technology is error prone and reinforces privilege.

With the above information in mind, businesses that plan to use biometric based technologies such as facial recognition must ensure that they acquire the consent they need from job applicants.

Summary

If you plan to use biometric data in the state of Maryland, you must follow requirements set out by PIPA. These requirements center mostly around disclosure, both of your use of biometrics, and if you ever experience a breach of the biometric data you have collected and hold under your protection.

There are 2 other laws in Maryland that you should be aware of if you work regularly with biometric data: Commercial Law - Consumer Protection - Biometric Identifiers and Biometric Information Privacy, and Labor and Employment - Use of Facial Recognition Services - Prohibition.

The field of biometrics is certain to grow and change as it becomes a more commonly used piece of personal data, so make sure to stay up to date with laws and updates in your area.

All U.S. Privacy Laws

Want to read more about privacy laws in the USA? Start here: