Maryland passed a bill amending the Personal Information Protection Act (PIPA). Under the bill, the definition of personal information is expanded to include passport numbers (and other identification numbers issued by the federal government), and user names or e-mail addresses in combination with passwords or security questions and answers. The bill also requires businesses to notify affected individuals of a breach of security within 45 days of discovering the breach (if the business owns or licenses the personal information) or within 45 days of concluding the business’ investigation following discovery of the breach (if the business does not own or license the personal information). In addition, the bill provides an alternate method notifying affected individuals when the breach of security involves information that permits access to the individual’s e-mail account only (and where no other personal information is obtained). The bill becomes effective January 1, 2018.
See Maryland General Assembly website for the full text of the Statutes:
