Saltzman Law

Who do I have to notify if my business suffers a data breach and I have customers in Maryland?

There are many types of information that, if compromised, have differing notification requirements.

A prominent example protected health information (PHI). Some unauthorized uses and disclosures of PHI might be considered a breach. Should your business have a breach of PHI, you will likely have to notify victims and the United States Department of Health and Human Services within 60 days of learning about the breach, and if more than 500 individuals in Maryland are affected, notify the media of the breach.

If your business suffers a breach of other forms of personal information, you will likely have to notify the Attorney General of Maryland, and if after an investigation you determine that the breach created the likelihood that personal information might be misused, you will likely have to notify all persons involved within 45 days after discovering the breach. If over 1000 people are affected by the breach, you will likely have to notify consumer reporting agencies.

Breach notification laws in Maryland can be complicated. If you have questions about your business’s obligations to notify customers in Maryland about a potential data breach, please contact Saltzman Law.