Maryland Data Breach Notification Laws: Reporting Rules & Timelines (2026)

Maryland takes data breach notification seriously. Under the Maryland Personal Information Protection Act (MPIPA), businesses that experience a security breach must act fast, notifying both the Attorney General and affected individuals within a tight 45-day window. This is one of the shorter deadlines among U.S. states, and the requirement to notify the AG first adds an extra layer of accountability.

The law, codified at Md. Code, Com. Law § 14-3504, applies to any business that owns, licenses, or maintains computerized data containing personal information of Maryland residents. A separate statute, Md. Code, State Govt. § 10-1305, imposes parallel obligations on state and local government agencies.

This guide breaks down who must comply, what triggers the notification obligation, the AG-first reporting process, enforcement mechanisms, and how the new Maryland Online Data Privacy Act (MODPA) adds to the picture.

What Qualifies as a Breach of Security

Under § 14-3501, a "breach of the security of a system" means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business.

The definition focuses on actual acquisition, not mere access. If someone accesses a system without authorization but does not acquire personal information, the notification requirement may not apply.

Maryland includes a good faith exception. An employee or agent who acquires personal information in the normal course of business does not trigger breach notification, as long as the information is not used for an unauthorized purpose or disclosed further.

The Encryption Safe Harbor

Maryland provides a clear safe harbor for encrypted data. If the compromised personal information was encrypted, redacted, or otherwise rendered unreadable or unusable, the notification obligation does not apply.

There is an important caveat. If the encryption key was also compromised, or there is a reasonable belief that it was compromised, the safe harbor disappears and full notification is required. Businesses should document their encryption practices and key management procedures to take advantage of this protection.

Personal Information That Triggers Notification

Maryland has one of the broader definitions of protected personal information among state breach notification laws. Under § 14-3501(e), personal information means an individual's first name or first initial and last name combined with any one or more of the following data elements (when not encrypted, redacted, or otherwise protected):

• Social Security number, individual taxpayer identification number (ITIN), or passport number, or other federal government-issued identification number
• Driver's license number or Maryland state identification card number
• Financial account number, credit card number, or debit card number, combined with any required security code, access code, or password that permits access to the account
• Health information, including information about mental or physical health conditions, medical history, or treatment by a healthcare professional
• Health insurance policy number, subscriber identification number, or other unique identifier used by a health insurer, combined with a unique identifier used by the insurer or employer
• Biometric data, including fingerprints, voice prints, genetic prints, retinal or iris images, and other unique biological characteristics used for authentication
• Genetic information, including data from DNA analysis, chromosomes, alleles, genomes, and genetic sequence polymorphisms
• Username or email address combined with a password or security question and answer that would permit access to an online account

This list is notably comprehensive. Maryland was among the early states to include biometric data, genetic information, and health insurance identifiers as protected categories.

What Does Not Count as Personal Information

Publicly available information lawfully obtained from federal, state, or local government records is excluded from the definition. Information that is widely distributed through media is also excluded.

The 45-Day Notification Deadline

Maryland imposes a firm 45-day deadline for notifying affected individuals. Under § 14-3504, businesses must provide notice no later than 45 days after discovering or being notified of the breach.

The clock starts at discovery, not at the conclusion of an investigation. This is a meaningful distinction. Some states start the clock only after the business has confirmed the breach through investigation. Maryland's approach puts more pressure on businesses to move quickly.

Investigation Requirement

Before sending notifications, a business must conduct a good-faith, reasonable, and prompt investigation to determine whether personal information has been or will be misused as a result of the breach. If the investigation determines that misuse of personal information has not occurred and is not reasonably likely to occur, notification may not be required.

However, the business must document that determination and maintain records for three years. This documentation requirement gives the Attorney General a basis for reviewing whether the decision not to notify was justified.

Law Enforcement Delay

Notification may be delayed if a law enforcement agency determines that it would impede a criminal investigation or jeopardize national security. Once law enforcement gives clearance, the business must notify affected individuals within seven days.

Attorney General Notification: The AG-First Rule

Maryland stands out among state breach notification laws for its AG-first notification requirement. Under § 14-3504, businesses must notify the Office of the Attorney General before sending notifications to affected individuals.

The AG notification must include:

• The number of Maryland residents affected by the breach
• A description of the breach, including when and how it occurred
• The steps the business has taken or plans to take in response to the breach
• The timeline for when individual notifications will be sent
• A sample copy of the notice that will go to affected individuals

This AG-first approach gives the Attorney General's office an opportunity to review the breach and the planned notification before consumers receive it. It also allows the AG to coordinate with the business if the notification is inadequate or if the breach raises broader consumer protection concerns.

Breach notifications should be directed to the Identity Theft Unit of the Consumer Protection Division at 200 St. Paul Place, Baltimore, MD 21202, or by email to idtheft@oag.state.md.us.

Methods of Individual Notification

Maryland permits several methods for notifying affected individuals:

• Written notice mailed to the most recent address on file
• Email notice, if the individual has previously consented to electronic communications or if the business conducts its business primarily through online transactions
• Telephonic notice to the most recent phone number on file
• Substitute notice, available when specific conditions are met

Substitute Notice

A business may use substitute notice if the cost of direct notification would exceed $100,000, the number of affected individuals exceeds 175,000, or the business does not have sufficient contact information to provide direct notice.

Substitute notice requires all three of the following: sending email to affected individuals whose addresses are available, posting a conspicuous notice on the company's website, and notifying major statewide media outlets.

Required Content of Individual Notices

Individual breach notifications must include:

• A description of the categories of personal information compromised
• Contact information for the business
• Contact information for consumer reporting agencies
• Contact details for the Federal Trade Commission and the Maryland Attorney General, along with information about identity theft prevention

Special Rule for Email-Only Breaches

When a breach involves only access to an email account without other personal information, the business may provide a simplified notification directing the affected individual to change their password and security questions.

Third-Party Data Handlers

Businesses that maintain personal information on behalf of another entity (such as cloud providers, payment processors, or IT vendors) have separate obligations. A third-party data handler must notify the data owner within 10 days of discovering a breach.

The third-party handler cannot charge the data owner any fees for providing information about the breach. This provision prevents vendors from monetizing breach information at the expense of timely notification.

Government Agency Obligations

State and local government agencies in Maryland are subject to parallel breach notification requirements under Md. Code, State Govt. § 10-1305. The obligations are similar to those for private businesses, with a few differences.

Government agencies must notify affected individuals "as soon as reasonably practicable" after investigation. They must also notify the Attorney General before individual notification. Certain state agencies are additionally required to notify the Department of Information Technology.

The substitute notice thresholds differ for government agencies: the cost threshold is $100,000 and the affected individuals threshold is 175,000.

Enforcement and Penalties

AG Enforcement Through Consumer Protection Act

Under § 14-3508, violations of Maryland's breach notification law constitute unfair or deceptive trade practices under Title 13 of the Commercial Law article, which is Maryland's Consumer Protection Act.

This means the Attorney General's Consumer Protection Division has full enforcement authority, including the power to:

• Bring civil actions against violating businesses
• Issue cease and desist orders
• Seek restitution for affected consumers
• Impose civil penalties

Penalty Amounts

Under § 13-410, a business that violates the law faces fines of up to $10,000 per violation. A business that repeats the same violation after a prior finding faces fines of up to $25,000 per repeat violation.

When calculating penalties, the Consumer Protection Division considers the severity of the violation, the business's good faith efforts, its prior violation history, and the deterrent effect of the penalty amount.

No Private Right of Action

Maryland's breach notification law does not create a private right of action. Individual consumers cannot sue businesses directly for failing to comply with notification requirements. Enforcement rests exclusively with the Attorney General.

However, individuals may still pursue claims under common law theories such as negligence, breach of contract, or other applicable statutes.

How MODPA Affects Data Breach Obligations

The Maryland Online Data Privacy Act (MODPA), which took effect on October 1, 2025, adds a comprehensive privacy framework that operates alongside the existing breach notification law. While MODPA does not replace or directly amend § 14-3504, it has significant implications for breach prevention and response.

Data Minimization Reduces Breach Risk

MODPA requires businesses to limit personal data collection to what is "reasonably necessary and proportionate" to provide a specific product or service requested by the consumer. This strict data minimization standard means businesses should be holding less personal data overall, which reduces both the likelihood and the potential impact of a data breach.

Sensitive Data Protections

MODPA classifies certain categories as sensitive personal data, including biometric data, genetic data, health information, precise geolocation, and data concerning children under 18. Businesses must obtain consent before processing sensitive data and are prohibited from selling it entirely. A breach involving sensitive data could trigger enforcement under both MODPA and the breach notification statute.

Additional Enforcement Layer

MODPA violations are also classified as unfair or deceptive trade practices, giving the Attorney General parallel enforcement authority. Before bringing an action, the AG may issue a notice of violation and provide at least 60 days for the business to cure the violation if a cure is possible. This 60-day cure period does not apply to the separate breach notification obligations under § 14-3504.

Data Protection Assessments

MODPA requires businesses to conduct data protection assessments for high-risk processing activities. If a business fails to conduct required assessments and then suffers a breach, that failure could strengthen the AG's enforcement case under both MODPA and the breach notification law.

How Maryland Compares

Maryland's 45-day notification deadline is among the shorter windows nationally. Florida requires notification within 30 days, while many states use a vaguer "most expedient time possible" standard without a fixed deadline. Maryland's AG-first notification requirement is also distinctive. Most states require AG notification at the same time as individual notification, or only above certain thresholds. Maryland's approach of requiring AG notice before individual notice gives the state more oversight of the process.

The breadth of Maryland's personal information definition, covering nine categories including biometric and genetic data, places it in the upper tier of state protections.

For a broader view of Maryland's data privacy landscape, including the MODPA framework, see our Maryland Data Privacy Laws overview.

More Maryland Laws

• Maryland Recording Laws
• Maryland Data Privacy Laws
• Maryland Recording Laws
• Maryland Recording Laws
• Maryland Recording Laws
• Maryland Recording Laws
• Maryland Recording Laws
• Maryland Recording Laws

Sources and References

This article draws from the following official Maryland government sources:

• Md. Code, Com. Law § 14-3504 (Notification of Breach) - Full text of Maryland's business breach notification statute
• Md. Code, Com. Law § 14-3501 (Definitions) - Definitions of personal information, breach, and related terms
• Md. Code, Com. Law § 14-3508 (Enforcement) - Classification of violations as unfair trade practices
• Md. Code, Com. Law § 13-410 (Civil Penalties) - Penalty amounts under the Consumer Protection Act
• Md. Code, State Govt. § 10-1305 (Government Agency Notification) - Parallel obligations for state and local government agencies
• Maryland Attorney General: Breach Notices - AG's breach notification reporting portal
• Maryland Online Data Privacy Act (SB 541) - MODPA legislation details

This article provides general legal information about Maryland data breach notification requirements. It is not legal advice, and it does not create an attorney-client relationship. Data breach response involves time-sensitive obligations. Consult a qualified attorney licensed in Maryland for guidance specific to your situation.