← All US breach laws·MD

Maryland data breach notification law

Maryland's data breach notification requirements under Md. Code Com. Law §§14-3501 to 14-3508 (Personal Information Protection Act). Below: the resident-notification deadline, AG/regulator filing threshold, the encryption safe harbor, private right of action exposure, penalty schedule, and the common pitfalls that turn an avoidable incident into a regulator enforcement action.

Statute
Md. Code Com. Law §§14-3501 to 14-3508
Enforcer
Maryland Attorney General — Consumer Protection Division
AG notification
Required
Private right of action
No (AG-only enforcement)

Notification deadlines

Notify affected residents
As soon as reasonably practicable, but no later than 45 days after the business concludes its investigation
Notify the state regulator
Yes — before notifying residents, the business must provide written notice to the Maryland AG
Notify consumer reporting agencies
Yes — if more than 1,000 residents, notify nationwide CRAs

When is notification required?

Trigger / harm threshold
Notification required only after a reasonable and prompt investigation concludes that misuse of PI has occurred or is reasonably likely to occur
Encryption safe harbor
Yes — properly encrypted personal information is generally exempt from notification, provided the encryption key was not also compromised.

What counts as "personal information" under Maryland law

First name/initial + last name with SSN, DL/state ID, IRS individual taxpayer ID, passport, state ID, financial account + access code, health-insurance ID, medical info, biometric data, OR username/email + password/security Q&A; ALSO standalone account + access code

Penalties and enforcement

Up to $10,000 per violation, $25,000 for repeats — enforced under Maryland Consumer Protection Act
Enforced by: Maryland Attorney General — Consumer Protection Division. Official regulator page →

Common pitfalls

Maryland is one of the few states requiring AG notice BEFORE residents are notified — sequencing matters
Investigation must be 'prompt' — long internal-only investigations expose the company to AG argument that delay was unreasonable

Frequently asked questions

How long do I have to notify Maryland residents after a data breach?
As soon as reasonably practicable, but no later than 45 days after the business concludes its investigation
Do I have to notify the Maryland Attorney General?
Yes — before notifying residents, the business must provide written notice to the Maryland AG
Does Maryland require notification to nationwide consumer reporting agencies?
Yes — if more than 1,000 residents, notify nationwide CRAs
Is encrypted data exempt from Maryland's breach notification requirement?
Yes — Maryland has an encryption safe harbor. Breaches of properly encrypted personal information generally do not trigger notification, provided the encryption key was not also compromised.
Can Maryland residents sue me directly for a data breach?
No — Maryland's breach statute does not provide a direct private right of action. Residents typically must rely on the AG to enforce, or pursue common-law negligence claims.
What counts as 'personal information' under Maryland law?
First name/initial + last name with SSN, DL/state ID, IRS individual taxpayer ID, passport, state ID, financial account + access code, health-insurance ID, medical info, biometric data, OR username/email + password/security Q&A; ALSO standalone account + access code
What are the penalties for failing to comply with Maryland's breach notification law?
Up to $10,000 per violation, $25,000 for repeats — enforced under Maryland Consumer Protection Act

Related state breach laws

Louisiana (LA)
La. Rev. Stat. §§51:3071 to 51:3077
Maine (ME)
10 M.R.S.A. §§1346 to 1349
Massachusetts (MA)
Mass. Gen. Laws ch. 93H §§1–6 + 201 CMR 17.00
Michigan (MI)
Mich. Comp. Laws §§445.63

Pre-empt the Maryland breach notice — audit your policy now

ComplianceIQ runs a free audit of your privacy policy and incident-response language against Maryland's statutory requirements. You'll see every gap before you have to use it for real.

Run free policy audit