Even Small, Non-Internet Businesses Have Statutory Duties to Protect Customers’ and Employees’ Privacy

July 9, 2013

Maryland and many other states impose statutory duties, to protect privacy, upon small businesses, not just upon internet service or data storage providers or financial institutions.

The Maryland Personal Information Protection Act, Md. Commercial Law Code Ann. §§14-3501, et seq. (hereinafter, “the statute” or by § reference) obligates a “business” to protect the “personal information” of Maryland residents.

§14-3501(b) defines a “business” as:

“a sole proprietorship, partnership, corporation, association, or any other business entity, whether or not organized to operate at a profit.”

§14-3501(d) defines “personal information” as follows:

“(1) ‘Personal information’ means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data elements are not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable:

(i) A Social Security number;

(ii) A driver’s license number;

(iii) A financial account number, including a credit card number or debit card number, that in combination with any required security code, access code, or password, would permit access to an individual’s financial account; or

(iv) An Individual Taxpayer Identification Number.

(2) ‘Personal information’ does not include:

(i) Publicly available information that is lawfully made available to the general public from federal, State, or local government records;

(ii) Information that an individual has consented to have publicly disseminated or listed; or

(iii) Information that is disseminated or listed in accordance with the federal Health Insurance Portability and Accountability Act.”

Therefore, any “business” that gathers the Social Security numbers of its employees, the credit card information of its customers, etc. – where those customers, employees, etc. are Maryland residents – is required to take various affirmative steps to protect that information.

Among other things, those steps, generally speaking, require such businesses (with certain exceptions for businesses that only maintain data that they do not own or license): (a) when destroying a customer’s records that contain personal information of the customer, to “take reasonable steps to protect against unauthorized access to or use of the personal information”; (b) to “implement and maintain reasonable security procedures and practices”; (c) to require its nonaffiliated third party service providers to “implement and maintain reasonable security procedures and practices”; and (d) in certain circumstances, to conduct an investigation, and to give prescribed notice(s), of a data security breach, to the individuals affected, or to the owner or licensee of that information, as the case may be, to the State Attorney General, and to credit reporting agencies. See the statute itself for the details.

If push-comes-to-shove, arguments can be made as to whether the statute, or the statute as applied to certain situations, is preempted by various federal statutes, and there is always the question as to whether Maryland can regulate acts committed, in whole or in part, in another state. However, few businesses want to be test cases. Therefore, businesses with Maryland customers or employees need to check that they are protecting the “personal information”, of those customers and employees, in accordance with the statute.