DBN Statutes – Maryland

Data Breach Notification Statutes – Maryland

Last Updated: 02/28/2024

  • Applicable Statute: Md. Code Ann., Com. Law §§ 14-3501 to 14-3508
  • Attorney General Notice Required: Yes, if any resident is notified.
    • Timing : Notice to Attorney General must occur prior to consumer notice.
    • Method: Not specified.
    • Content :
      • (i) The number of affected individuals residing in the State;
      • (ii) A description of the breach of the security of a system, including when and how it occurred;
      • (iii) Any steps the business has taken or plans to take relating to the breach of the security of a system; and
      • (iv) The form of notice that will be sent to affected individuals and a sample notice.
  • Consumer Notice Requirements:
    • Timing: Must be made as soon as reasonably practicable but no later than 45 days after conclusion of the entity’s investigation. 
    • Content: The notification must include:
      • To the extent possible, a description of the categories of personal information, including specific elements, reasonably believed to have been acquired;
      • The covered entity’s contact information, including its address, telephone number, and toll-free number (if one is maintained);
      • The toll-free telephone numbers and addresses of the major consumer reporting agencies;
      • The toll-free numbers, addresses and website addresses for the FTC and Maryland Attorney General, and a statement that an individual can obtain information from these sources about how to avoid identity theft.
    • Method: Written notice to the resident’s most recent address, or email to most recent email address if the resident expressly consented to email notification or the entity conducts business primarily by Internet, or by telephone to the resident’s most recent telephone number. If only a username or email address (in combination with a password or security question and answer that permits access to an individual’s email account) are affected, may notify by providing directions on how to change account password or security question and answer, or providing additional steps to protect the account.
  • Consumer Reporting Agency Obligations: If 1,000 or more residents must be notified, then must notify each nationwide consumer reporting agency of the timing, distribution and content of the notices. Must be made without unreasonable delay.
Please Note: The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience; Klinedinst PC and its attorneys do not recommend or endorse the contents of the third-party sites. Readers of this website should contact an attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, Klinedinst PC or its attorneys. Content included on this site is subject to change and users should note the date of last update when reviewing such contents. The content is provided "as is;" no representations are made that the content is error-free. Klinedinst PC has offices in several US states but does not practice law where its attorneys are not licensed. While this website refers to the laws of all 50 states, Klinedinst PC does not practice law in a several such states and visitors of this website are put on notice that neither Klinedinst PC, nor its attorneys, are or will provide legal advice for states where its attorneys are not licensed.

Data Breach Notification Statutes

Practice Attorneys


Related Practice Areas



Subscribe to Privacy and Data Security Newsletter

* indicates required