A multi-year effort by the MD|DC Credit Union Association to strengthen data breach notification standards for businesses is now law. SB643 will take effect Oct. 1, updating the Maryland Personal Information Protection Act to incorporate language suggested by the Association.
“This is a big win for consumers,” said John Bratsakis, MD|DC Credit Union Association President/CEO. “We want to thank the Maryland General Assembly for taking action to strengthen notification standards, something we have strongly advocated for over the past four years. As credit unions, our chief responsibility is to protect consumers’ finances and personal information. This bill helps supports those efforts.”
Specifically, it will give businesses 45 days, from the time they discover or are notified of a breach, to inform consumers that their information was compromised. Law enforcement may delay the reporting requirement if they determine that it may impede a criminal investigation to notify consumers of the breach.
However, once law enforcement determines that it is safe to notify consumers, if it is past the initial 45-day period, business will have 7 days to notify consumers. The current standard is ambiguous, requiring notification within 45 days of completion of an internal investigation, allowing businesses to take months or even years to notify consumers of a breach. Financial institutions in compliance with the Gramm-Leach-Bliley Act are deemed compliant with the Act.