Breach reporting must be made to the Office of the Attorney General, prior to consumer notification. Breach reporting to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis is required for breaches involving 1,000 or more individuals.

There is specific information that must be included in consumer notifications.

Organizations may be fined or penalized for Vendor violations. Failure to comply with requirements under the Personal Information Protection Act constitutes an unfair trade practice.

Maryland passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to breaches of security. Effective October 1, 2019, licensees must comply with breach notification requirements, including Commissioner notification within 45 days.

Organizations must have measures in place for the secure disposal of personal information. Organizations must contract with Vendors to whom the Organization discloses personal information. Organizations and Vendors must implement and maintain reasonable security procedures and practices for protecting personal information. There are specific security requirements for handling social security numbers.

Vendors must notify Organizations without delay, but no later than 45 days, after the discovery of a breach or suspected breach and provide the necessary information concerning the breach incident. The Organization will be responsible to complete any required regulatory reporting and consumer notification. Vendors are prohibited from charging a fee to provide any necessary information to an Organization regarding a breach.