Amended Law Effective January 1, 2018

Maryland has amended its Personal Information Protection Act (PIPA). Highlights of the amended law are presented below.


If a business’ primary or functional regulator has rules, regulations, or policies regarding protection of personal information and notice, and is in compliance with those rules, then that business will be deemed to be in compliance with PIPA.


PIPA defines “Personal information” as an individual’s first and last name in combination with a:

unless the information is encrypted, redacted or otherwise rendered unusable.


A “security breach” is defined as the unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information.

If a business experiences a security breach where personal information that, combined, may pose a threat to a consumer if misused, that business must notify any affected consumers residing in Maryland.

Once a security breach is detected, a business must conduct in good-faith a reasonable and prompt investigation. This will then determine whether the information that has been compromised has been misused, or is likely to be misused. For instance, identity theft.

If the investigation shows that there is a reasonable chance that the data will be misused, that business must notify the affected consumers.



Maryland Attorney General


New Law