Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 45 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected Breach
Fines & Penalties

Violations of breach notification laws:

- constitutes an unfair trade practice

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Breach reporting must be made to the Office of the Attorney General, prior to consumer notification.
  • There is specific information that must be included in consumer notifications.
  • Breach reporting to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis is required for breaches involving 1,000 or more individuals.
  • There are specific security requirements for handling social security numbers.
  • Vendors must notify Organizations without delay, but no later than 45 days, after discovery of a breach or suspected breach and provide necessary information concerning the breach incident. The Organization will be responsible to complete any required regulatory reporting and consumer notification.
  • Vendors are prohibited from charging a fee to provide any necessary information to an Organization regarding a breach.
  • Organizations must have measures in place for the secure disposal of personal information.
  • Organizations must contract with Vendors to whom the Organization discloses personal information.
  • Organizations and Vendors must implement and maintain reasonable security procedures and practices for protecting personal information.
  • Organizations may be fined or penalized for Vendor violations.
  • Failure to comply with requirements under the Personal Information Protection Act constitutes an unfair trade practice.
Statutes and Laws
  • MD Comm L Code §§ 14-3501-3508 Personal Information Protection Act
  • MD Comm L Code §§ 14-3401-3402 The Social Security Number Privacy Act
  • MD Comm L Code § 14-1318 Consumer protection provisions
BAck to map