Skip to content

The Holland Law Firm, P.C.

Personal Information Protection Act – Business Owner Responsibilities

Business owners have access to and curate important/sensitive information, particularly concerning team members and consumers. When business owners must obtain a person’s social security number or personal identification number, they need to take every precaution to ensure that it doesn’t end up in the wrong hands. 

personal information protection act

The Federal Privacy Act

The Privacy Act of 1974 was created to safeguard individuals sharing personal information such as their social security number, name, or identification number. Under the Privacy Act, a person has the right to obtain access to their records and request any necessary changes. Disclosure of personal information must be permitted with the clear, written consent of the person the records pertain to. 

The Maryland Personal Information Protection Act (PIPA)

In Maryland, specific laws are set to protect consumers, team members, and business owners from data breaches. Here are some must-know facts regarding the Maryland Personal Information Protection Act.

The state of Maryland passed a law in 2008 that takes the Privacy Act to another degree; this is known as the Maryland Personal Information Protection Act (PIPA). Otherwise referred to as the Maryland Data Breach Notification Law, this act works to prevent business-related data breaches that lose or distribute personal information without the individual’s consent. It also educates businesses on collecting, disclosing, and using data responsibly to prevent potential breaches. 

Maryland’s Criteria for Personal Information

According to the statute, personal information includes the following:

            (i)    An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data elements are not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable:

                1.    A Social Security number, an Individual Taxpayer Identification Number, a passport number, or other identification number issued by the federal government;

                2.    A driver’s license number or State identification card number;

                3.    An account number, a credit card number, or a debit card number, in combination with any required security code, access code, or password, that permits access to an individual’s financial account;

                4.    Health information, including information about an individual’s mental health;

                5.    A health insurance policy or certificate number or health insurance subscriber identification number, in combination with a unique identifier used by an insurer or an employer that is self–insured, that permits access to an individual’s health information; or

                6.    Biometric data of an individual generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that can be used to uniquely authenticate the individual’s identity when the individual accesses a system or account; or

            (ii)    A user name or e–mail address in combination with a password or security question and answer that permits access to an individual’s e–mail account.

Consumer Notices

Maryland PIPA also ensures that businesses take the proper steps to notify consumers if their data has been compromised due to a security breach. Businesses have up to 45 days to notify consumers of the breach properly and, if not, are subject to large penalties and legal culpability. Businesses can notify consumers through written letters, phone calls, or an email if the consumer has given consent to be contacted electronically. 

Data Loss

Data loss is when essential business information is accidentally deleted or breached. No matter the size of your business, data loss can be a very serious situation. Not only does it affect your team members, but it can also negatively impact your consumers. Certain pieces of data are recoverable, but it almost always requires the assistance of IT professionals; this wastes precious time and money and doesn’t guarantee that the data will be restored. 

Non-Compliance Penalties

Section 14-3508 of the Act states that a violation of the Maryland Personal Information Privacy Act is also a violation of the Maryland Consumer Protection Act, which means that consumers can sue for damages and require offenders to pay attorney fees. 

The consequences of improper data security can be devastating for businesses and their customers, so it’s incredibly important for business owners to be educated on safe storage of personal information. 

Work With an Identity Theft Lawyer

If you’ve been negatively impacted by a security breach or the mishandling of your personal information, an identity theft lawyer can help. Our experienced attorneys at Holland Law Firm are ready to cover your case and fight for your consumer rights.


Contact us today to learn more.