House Bill ('HB') 962 for an Act on revisions to the Maryland Personal Information Protection Act was enacted, on 29 May 2022, without the Governor's signature. In particular, HB 962 requires that, among other things:

• a business that maintains personal information of an individual residing in the State implements and maintains certain security procedures and practices;
• after a breach investigation is concluded, unless the business reasonably determines that the breach of the security of a system does not create a likelihood that personal information has been, or will be, misused, the owner or licensee of the computerised data should notify the affected individuals of the breach; and
• a business that maintains computerised data, including personal information of an individual residing in the State that the business does not own or license, when it discovers, or is notified of, a breach of the security of a system, should notify, as soon as practicable and not later than ten days, the owner or licensee of the personal information of the breach of the security of a system.

Additionally, HB 962 states that a substitute notice should consist of, among other things, a notification to major print or broadcast media in geographic areas where the individuals affected by the breach likely reside.

Moreover, HB 962 stipulates that, prior to giving the breach notification to affected individuals, a business should provide a notice of a breach of the security system to the Attorney General ('AG'), whereby the notice should contain, at a minimum:

• the number of affected individuals;
• a description of the breach of the security system, including when and how it occurred;
• any steps the business has taken, or plans to take, relating to the breach; and
• the form of notice that will be sent to affected individuals, as well as a sample notice.

HB 962 will take effect on 1 October 2022.

You can read HB 962 and view its history here.