Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I use third-party file sharing tools that collect personal information in Maryland? What are the requirements?

Use of Third-Party File Sharing Tools in Maryland

If you are using third-party file sharing tools that collect personal information in Maryland, you must comply with the Maryland Personal Information Protection Act (MPIPA) [1.1]. The MPIPA requires businesses to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification, or disclosure [1.1].

Under the MPIPA, personal information is defined as an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:

  • Social Security number
  • Driver’s license number or state identification card number
  • Financial account number, including a credit card number or debit card number, in combination with any required security code, access code, or password that would permit access to the individual’s financial account
  • Individual taxpayer identification number [1.1]

If the third-party file sharing tool collects personal information as defined by the MPIPA, you must comply with the following requirements:

  • Obtain consent from the individual before collecting, using, or disclosing their personal information [1.1]
  • Implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification, or disclosure [1.1]
  • Notify affected individuals in the event of a breach of personal information [1.1]

It is important to note that the MPIPA applies to businesses that own, license, or maintain personal information about Maryland residents, regardless of whether the business is located in Maryland [1.1].

Conclusion

If the third-party file sharing tool collects personal information as defined by the MPIPA, you must obtain consent from the individual, implement reasonable security procedures, and notify affected individuals in the event of a breach. It is important to note that the MPIPA applies to businesses that own, license, or maintain personal information about Maryland residents, regardless of whether the business is located in Maryland.

Source(s):
Jurisdiction

Maryland