|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Martin O'Malley, Governor
|
|
Ch. 532
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PRACTICES THAT ARE APPROPRIATE TO THE NATURE OF THE PERSONAL
INFORMATION OWNED OR LICENSED AND THE NATURE AND SIZE OF THE
BUSINESS AND ITS OPERATIONS.
(B) (1) A BUSINESS THAT USES A NONAFFILIATED THIRD PARTY AS A
SERVICE PROVIDER TO PERFORM SERVICES FOR THE BUSINESS AND DISCLOSES
PERSONAL INFORMATION ABOUT AN INDIVIDUAL RESIDING IN THE STATE
UNDER A WRITTEN CONTRACT WITH THE THIRD PARTY SHALL REQUIRE BY
CONTRACT THAT THE THIRD PARTY IMPLEMENT AND MAINTAIN REASONABLE
SECURITY PROCEDURES AND PRACTICES THAT:
(I) ARE APPROPRIATE TO THE NATURE OF THE PERSONAL
INFORMATION DISCLOSED TO THE NONAFFILIATED THIRD PARTY; AND
(II) ARE REASONABLY DESIGNED TO HELP PROTECT THE
PERSONAL INFORMATION FROM UNAUTHORIZED ACCESS, USE, MODIFICATION,
DISCLOSURE, OR DESTRUCTION.
(2) THIS SUBSECTION SHALL APPLY TO A WRITTEN CONTRACT
THAT IS ENTERED INTO ON OR AFTER JANUARY 1, 2009.
14-3504.
(A) IN THIS SECTION:
(1) "BREACH OF THE SECURITY OF A SYSTEM" MEANS THE
UNAUTHORIZED ACQUISITION OF COMPUTERIZED DATA THAT COMPROMISES
THE SECURITY, CONFIDENTIALITY, OR INTEGRITY OF THE PERSONAL
INFORMATION MAINTAINED BY A BUSINESS AND WILL LIKELY RESULT IN A
MATERIAL RISK OF IDENTITY THEFT; AND
(2) "BREACH OF THE SECURITY OF A SYSTEM" DOES NOT
INCLUDE THE GOOD FAITH ACQUISITION OF PERSONAL INFORMATION BY AN
EMPLOYEE OR AGENT OF A BUSINESS FOR THE PURPOSES OF THE BUSINESS,
PROVIDED THAT:
(I) THE THE PERSONAL INFORMATION IS NOT USED OR
SUBJECT TO FURTHER UNAUTHORIZED DISCLOSURE; AND
(II) IT IS NOT LIKELY THAT THE ACQUISITION WILL RESULT IN A MATERIAL RISK OF IDENTITY THEFT.
|
|
|
|
|
|
|
|
|
|
- 3467 -
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
