Most Maryland small business owners have never read PIPA, and many have never heard of it. The statute has been in effect since 2008 and has been amended multiple times since, most significantly in 2019 (expanding coverage) and 2022 (tightening notification timing and standards). It applies to nearly every business in Maryland that holds personal information about Maryland residents, which is essentially every business with employees, customers, patients, clients, or vendors who are Maryland residents. A Maryland business law attorney advising a small business client through a data security incident usually starts by explaining what PIPA actually requires, because the owner often discovers the obligations during the breach response rather than during the calmer months when compliance work could have been done deliberately.
What PIPA Actually Covers
The Maryland Personal Information Protection Act is codified at Maryland Commercial Law sections 14-3501 through 14-3508. The statute has two main components: a security obligation and a breach notification obligation.
The security obligation requires any business that owns, licenses, or maintains personal information about Maryland residents to implement and maintain reasonable security procedures and practices appropriate to the nature of the information and the size of the business. The standard is intentionally flexible because what counts as reasonable for a sole proprietor differs from what counts as reasonable for a 200-employee company, but the requirement applies regardless of size.
The breach notification obligation requires notice to affected individuals and, in many cases, to the Maryland Attorney General’s Office when a security breach has occurred and the business cannot reasonably determine that the breach is unlikely to result in misuse of personal information.
PIPA defines personal information as a Maryland resident’s first name or first initial and last name in combination with one or more specific data elements: Social Security number, driver’s license or state ID number, financial account or credit/debit card number with a security code or password, individual taxpayer identification number, passport number, biometric data, health information, health insurance information, or genetic information. The list expanded in 2022 to include genetic information, reflecting the growth in consumer DNA testing and similar services.
What the 2022 Amendments Changed
The amendments enacted through HB 962 in 2022 produced three changes that small businesses should understand.
The notification trigger changed. Previously, notice was required only if the business determined a breach was likely to result in misuse. Now, notice is presumed required unless the business reasonably determines that the breach is unlikely to result in misuse. The presumption shift effectively places the burden on the business to justify not providing notice, rather than placing the burden on circumstances to require notice.
The notification timeline tightened. Notice to affected individuals must be provided within 45 days of discovery of the breach (or notification from a service provider that a breach has occurred), not 45 days from completion of an investigation. The shift means investigations and notification typically run in parallel rather than sequentially.
Service provider obligations sharpened. A vendor or service provider that experiences a breach affecting a client’s data must notify the data owner within 10 days of discovery, not 45 days. This compresses the response timeline and makes vendor management materially more important.
The Specific Compliance Obligations Most Small Businesses Miss
Several PIPA requirements turn up consistently in small business compliance gaps.
Reasonable security procedures, written down. A small business that has reasonable practices in operation but has never documented them is in a weaker position during enforcement than a business with the same practices documented in a written security policy. Documentation matters both for the compliance posture and for proving that practices were in place if a breach occurs.
Vendor contracts requiring reasonable security. PIPA requires businesses that share personal information with non-affiliated third parties to require those parties to implement and maintain reasonable security procedures, by written contract. A small business that has never reviewed its vendor contracts for this provision likely has gaps with payment processors, cloud services, marketing platforms, payroll services, and similar vendors.
Records destruction practices. Personal information being disposed of must be destroyed in a manner that protects against unauthorized access. Throwing customer records into ordinary trash is not compliant. Shredding paper records and securely wiping electronic media are the standard practices.
Breach notification preparation. A small business with no incident response plan typically loses several days of the 45-day notification window figuring out what to do when a breach is discovered. A short, written incident response procedure shortens the eventual response significantly.
What the Notification Itself Must Include
When notification is required, the content is specified by the statute. Notification must include a description of the categories of information that were or are reasonably believed to have been accessed, contact information for the business, toll-free numbers and addresses for the three major credit reporting agencies (Equifax, Experian, TransUnion), toll-free numbers and addresses for the Federal Trade Commission and the Maryland Attorney General’s Office, and a statement that the individual can obtain information from those sources about steps to avoid identity theft.
If the breach involves Social Security numbers, the business must offer at least one year of free credit monitoring or identity theft prevention services.
For breaches affecting more than 1,000 Maryland residents, notification to the three major credit reporting agencies is also required. The Maryland Attorney General must be notified before consumers in most cases, with limited carve-outs.
Penalties for Non-Compliance
A PIPA violation is treated as an unfair or deceptive trade practice under the Maryland Consumer Protection Act. Civil penalties begin at up to $1,000 per violation for a first offense and rise to up to $5,000 for subsequent violations. The Attorney General’s Office may also seek injunctive relief.
The penalty structure looks modest until the per-violation calculation is multiplied across thousands of affected individuals in a significant breach. Aggregate exposure can become substantial quickly, and the reputational damage of a publicly disclosed enforcement action often exceeds the direct financial penalty.
Maryland’s broader privacy framework is also expanding. The Maryland Online Data Privacy Act, signed in 2024 with the operative date of October 1, 2025, adds a comprehensive consumer privacy regime that goes beyond PIPA’s breach notification focus. Compliance with PIPA does not necessarily mean compliance with MODPA, and businesses subject to both should approach them as related but distinct obligations.
Working With a Maryland Business Law Attorney on PIPA Compliance
A practical compliance review typically covers the security procedures the business currently uses, the vendor contracts in place, the written documentation of policies, the records destruction practices, and the incident response readiness. Working with a Maryland business law attorney such as those at The Mundaca Law Firm, with offices in Annapolis and Washington D.C., during the calm period before any incident produces stronger compliance posture than addressing the same issues during a 45-day breach notification window.
The Short Version
Maryland’s Personal Information Protection Act applies to nearly every Maryland business that holds personal information about state residents, requires reasonable security and timely breach notification, and now operates under a presumption that notice is required unless the business can justify otherwise. Compliance involves documented security practices, vendor contracts, records destruction procedures, and incident response readiness. For small businesses that have never formally reviewed their PIPA compliance, a Maryland business law attorney can audit current practices and close the gaps before a breach forces the issue under deadline.
