Update to Data Breach Standard Led by MD|DC Credit Union Association Goes Into Effect | 2022-06-02

A multi-year effort by the MD|DC Credit Union Association to strengthen data breach notification standards for businesses is now law. SB643 will go into effect Oct. 1, updating Maryland’s privacy law to incorporate language suggested by the Association.

“This is a big win for consumers,” said John Bratsakis, president and CEO of the MD|DC Credit Union Association. “We want to thank the Maryland General Assembly for taking action to strengthen reporting standards, which we have strongly advocated for over the past four years. As credit unions, our primary responsibility is to protect consumer finances and personal information.This bill helps support these efforts.

Specifically, it will give businesses 45 days, from the time they discover or are notified of a breach, to notify consumers that their information has been compromised. Law enforcement may delay the reporting requirement if they determine that doing so may prevent a criminal investigation from notifying consumers of the violation.

However, once law enforcement determines that it is safe to notify consumers, if the initial 45-day period is exceeded, companies will have 7 days to notify consumers. The current standard is ambiguous, requiring notification within 45 days of the completion of an internal investigation, allowing companies to take months or even years to notify consumers of a breach. Financial institutions in compliance with the Gramm-Leach-Bliley Act are deemed to comply with the law.