Can I store personal information about my customers in Maryland? What are the requirements?

Yes, you may store personal information about your customers in Maryland, but you must comply with the privacy policies and practices for nonpublic financial information outlined in MDCR Title 31, Subtitle 16, Chapter 08.

Annual Privacy Notice

According to MDCR 31.16.08.06, you must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices for nonpublic financial information at least once in each annual notice period during the continuation of the customer relationship.

Exceptions to Notice and Opt-Out Requirements

MDCR 31.16.08.16 outlines the exceptions to notice and opt-out requirements for disclosure of nonpublic personal financial information. You may disclose nonpublic personal financial information without providing notice and opt-out if:

• The consumer has given consent or direction for the disclosure and has not revoked it.
• The disclosure is necessary to protect the confidentiality or security of your records pertaining to the consumer, service, product, or transaction.
• The disclosure is necessary to protect against or prevent actual or potential fraud or unauthorized transactions.
• The disclosure is required for institutional risk control or for resolving consumer disputes or inquiries.
• The disclosure is made to persons holding a legal or beneficial interest relating to the consumer.
• The disclosure is made to persons acting in a fiduciary or representative capacity on behalf of the consumer.
• The disclosure is made to provide information to insurance rate advisory organizations, guaranty funds or agencies that are rating you, persons that are assessing your compliance with industry standards, and your attorneys, accountants, and auditors.
• The disclosure is specifically permitted or required under other provisions of law and in accordance with the federal Right to Financial Privacy Act of 1978.
• The disclosure is made to a consumer reporting agency in accordance with the federal Fair Credit Reporting Act.
• The disclosure is made in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely consumers of the business or unit.
• The disclosure is necessary to comply with federal, state, or local laws, rules, and other applicable legal requirements.
• The disclosure is necessary to comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by federal, state, or local authorities.
• The disclosure is necessary to respond to judicial process or government regulatory authorities having jurisdiction over you for examination, compliance, or other purposes as authorized by law.
• The disclosure is necessary for purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan, or a workers’ compensation plan.

Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties

MDCR 31.16.08.11 outlines the limits on disclosure of nonpublic personal financial information to nonaffiliated third parties. You may not disclose nonpublic personal financial information about a consumer to a nonaffiliated third party unless you have provided the consumer with an initial notice, an opt-out notice, and a reasonable opportunity to opt-out of the disclosure. You shall comply with this regulation regardless of whether you and the consumer have established a customer relationship.

In summary, you may store personal information about your customers in Maryland, but you must comply with the privacy policies and practices for nonpublic financial information outlined in MDCR Title 31, Subtitle 16, Chapter 08. You must provide an annual privacy notice, comply with the exceptions to notice and opt-out requirements, and limit disclosure of nonpublic personal financial information to nonaffiliated third parties.

Jurisdiction

Maryland

• Privacy