Skip to content

MD|DC Credit Union Association-led Data Breach Standard Update Enacted into Law

A multi-year effort by the Association to strengthen data breach notification standards for businesses is now law.

Passed by the Maryland General Assembly, SB643 will take effect October 1, 2022. The bill updates the Maryland Personal Information Protection Act to incorporate language suggested by the Association that will give businesses 45 days, from the time they discover or are notified of a breach, to inform consumers that their information was compromised. Law enforcement may delay the reporting requirement if they determine that it may impede a criminal investigation to notify consumers of the breach. However, once law enforcement determines that it is safe to notify consumers, if it is past the initial 45-day period, business will have 7 days to notify consumers. The current standard is ambiguous, requiring notification within 45 days of completion of an internal investigation, allowing businesses to take months or even years to notify consumers of a breach. Financial institutions in compliance with the Gramm-Leach-Bliley Act are deemed compliant with the Act.

“This is a big win for consumers,” said John Bratsakis, MD|DC Credit Union Association President/CEO. “We want to thank the Maryland General Assembly for taking action to strengthen notification standards, something we have strongly advocated for over the past four years. As credit unions, our chief responsibility is to protect consumers’ finances and personal information. This bill helps supports those efforts.”

Join Our Mailing List

Keep up with the latest industry info, advocacy updates, member spotlights and upcoming events.