The Compliance and Security Connection

January 1st will not just ring in 2008; it will also mark the day the new Maryland Personal Information Protection Act goes into effect.

According to the Baltimore Business Journal, the new Act "imposes information security, document disposal and data-breach protection requirements on all businesses in Maryland. It covers both employee and customer information, so every business in the state, regardless of size, is impacted. A violation of this law is an unfair or deceptive trade practice under Maryland law, which authorizes private lawsuits and hefty penalties."

Like the existing state data breach laws, the Maryland PIPA defines personal information as including "an individual's Social Security number, driver's license number, financial account number (such as a credit card or debit number), and taxpayer identification number," according to a briefing document from Winston & Strawn, LLP. However, according to Michael D. Oliver, Esq., the Maryland law "is much more business friendly than for example California's Data Protection Law."

The penalties for violating the Maryland PIPA fall under the Consumer Protection Act and could lead to a civil penality of $1,000 for an initial violation and $5,000 for subsequent violations. Criminal misdemeanor sanctions could add an additional $1,000 in fines and the possibility of a year-long imprisonment.

One of the challenges for businesses is understanding the nuances found in each state law. With Maryland bringing the number of states with some form of a data breach law close to 40, it is becoming increasingly complicated for interstate businesses to ensure they are knowledgeable of the specifics of each law.

It will not be surprising to see businesses look for some relief from the Federal Government by adopting a unified federal law that will simplify expectations.

Contributed by Mark Tordoff