As data breaches affecting businesses around the world continue to dominate the headlines, it’s worth ensuring that your business is complying with the recently amended Maryland Personal Information Protection Act (“MPIPA”). This statute, which was amended effective January 1, 2018, requires that businesses “implement and maintain reasonable security procedures and practices” in order to prevent the unauthorized disclosure of employees’ “personal information.”
Ensure they have implemented “reasonable security procedures and practices.” It is worth noting that the MPIPA does not define “reasonable security procedures and practices.” Consequently, employers should implement those procedures and practices that are reasonable under all of the circumstances, which include but are not limited to: the types of records at issue, the resources of the business, the costs and benefits of available security protocols, and the available technology.
Ensure, when destroying records of current or former employees, “reasonable steps” are taken to protect against unauthorized access to employees’ personal information. The MPIPA provides that the reasonableness of the steps taken depends on: “the sensitivity of the records at issue, the nature and size of the business and its operations, the costs and benefits of different security methods, and the available technology.”
Ensure timely notification is given to employees or former employees whose personal information has been compromised. This requires notification no later than 45 days after knowledge of the breach.