The security breach notification requirements in the Maryland Personal Information Protection Act (MPIPA), or House Bill 1154, have been amended. 

Maryland Governor Larry Hogan approved of the changes made to MPIPA and the changes go into effect October 1, 2019. 

The bill:

• Requires businesses that own licenses or maintain computerized data that includes personal information of an individual residing in the State, to conduct investigations as soon as they discover or are notified of a breach of the security of a system. 
• Requires businesses to contact those affected by the security breach, no later than 45 days after the investigation is finalized. 
• Requires businesses to maintain records after three years of the incident. 

HB 1154 prohibits owners and licensees of computerized data from using information relative to a breach of a security system for purposes other than: 

1. providing notification of the breach
2. protecting or securing personal information.
3. providing notification to national information security organizations to alert and avert new or expanded breaches.