ARTICLE
27 September 2019

Maryland Adds Insurance Commissioner To Breach Notification Requirements

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
Effective October 1, 2019, organizations providing health insurance and related services must notify the Maryland Insurance Administration as part of its breach notification requirements.
United States Privacy

Effective October 1, 2019, organizations providing health insurance and related services must notify the Maryland Insurance Administration as part of its breach notification requirements.

In August 2019, the Maryland Insurance Administration issued Bulletin 19-14 informing insurers, nonprofit health plans, HMOs, managed care organizations, managed general agents and third party administrators of a new notice requirement for data breaches.

After an incident, once the regulated company conducts the investigation required by the state's existing data breach law, the new rule requires that regulated entity to also send notice to the Maryland insurance commissioner if the breach of security "creates a likelihood that personal information has been or will be misused". The notice must be sent to the commissioner at the same time as the notice submitted to the Maryland AG. The notification must include 1) a description of the security breach, 2) a copy of any consumer notifications, and 3) a copy of the notice sent to the Maryland AG. An online form can be used to submit the notice.

October looks to be a busy month for new breach notification obligations in Maryland. We previously reported on the other amendment happening next month.

Putting it into Practice: If your organization provides health insurance and related services, now is the time to update your nationwide breach notice plan to address this additional notification requirement. Maryland is not the only state to have requirements specific to insurance companies or to require notification to an insurance commissioner. Connecticut, Ohio, New Hampshire, and Washington do as well (among others).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More