|
|
|
|
|
|
|
|
|
|
|
|
|
Martin O'Malley, Governor Ch. 532
|
|
|
|
|
|
|
|
(4) IF AFTER THE INVESTIGATION REQUIRED UNDER PARAGRAPH
(1) OF THIS SUBSECTION IS CONCLUDED, THE BUSINESS DETERMINES THAT
NOTIFICATION UNDER PARAGRAPH (2) OF THIS SUBSECTION IS NOT REQUIRED,
THE BUSINESS SHALL MAINTAIN RECORDS THAT REFLECT ITS DETERMINATION
FOR 3 YEARS AFTER THE DETERMINATION IS MADE.
(C) (1) A BUSINESS THAT MAINTAINS COMPUTERIZED DATA THAT
INCLUDES PERSONAL INFORMATION THAT THE BUSINESS DOES NOT OWN OR
LICENSE SHALL NOTIFY THE OWNER OR LICENSEE OF THE PERSONAL
INFORMATION OF A BREACH OF THE SECURITY OF A SYSTEM IF IT IS LIKELY
THAT THE BREACH HAS RESULTED OR WILL RESULT IN THE MISUSE OF
PERSONAL INFORMATION OF AN INDIVIDUAL RESIDING IN THE STATE IF IT IS
LIKELY THAT THE BREACH HAS RESULTED OR WILL RESULT IN A MATERIAL
RISK OF IDENTITY THEFT OR PERSONAL INFORMATION OF AN INDIVIDUAL
RESIDING IN THE STATE.
(2) EXCEPT AS PROVIDED IN SUBSECTION (D) OF THIS SECTION,
THE NOTIFICATION REQUIRED UNDER PARAGRAPH (1) OF THIS SUBSECTION
SHALL BE GIVEN AS SOON AS REASONABLY PRACTICABLE AFTER THE BUSINESS
DISCOVERS OR IS NOTIFIED OF THE BREACH OF THE SECURITY OF A SYSTEM.
(3) A BUSINESS THAT IS REQUIRED TO NOTIFY AN OWNER OR
LICENSEE OF PERSONAL INFORMATION OF A BREACH OF THE SECURITY OF A
SYSTEM UNDER PARAGRAPH (1) OF THIS SUBSECTION SHALL SHARE WITH THE
OWNER OR LICENSEE INFORMATION RELATIVE TO THE BREACH.
(D) (1) THE NOTIFICATION REQUIRED UNDER SUBSECTIONS (B) AND
(C) OF THIS SECTION MAY BE DELAYED:
(I) IF A LAW ENFORCEMENT AGENCY DETERMINES THAT
THE NOTIFICATION WILL IMPEDE A CRIMINAL INVESTIGATION OR JEOPARDIZE
HOMELAND OR NATIONAL SECURITY; OR
(II) TO DETERMINE THE SCOPE OF THE BREACH OF THE
SECURITY OF A SYSTEM, IDENTIFY THE INDIVIDUALS AFFECTED, OR RESTORE
THE INTEGRITY OF THE SYSTEM.
(2) IF NOTIFICATION IS DELAYED UNDER PARAGRAPH (1)(I) OF
THIS SUBSECTION, NOTIFICATION SHALL BE GIVEN AS SOON AS REASONABLY
PRACTICABLE AFTER THE LAW ENFORCEMENT AGENCY DETERMINES THAT IT
|
|
|
|
|
|
|
|
- 3469 -
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|