(a) To protect personal information from unauthorized access, use, modification, or disclosure, a unit that collects personal information of an individual shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information collected and the nature of the unit and its operations.
(b) (1) This subsection shall apply to a written contract or agreement that is entered into on or after July 1, 2014.
(2) A unit that uses a nonaffiliated third party as a service provider to perform services for the unit and discloses personal information about an individual under a written contract or agreement with the third party shall require by written contract or agreement that the third party implement and maintain reasonable security procedures and practices that:
(i) are appropriate to the nature of the personal information disclosed to the nonaffiliated third party; and
(ii) are reasonably designed to help protect the personal information from unauthorized access, use, modification, disclosure, or destruction.
Structure Maryland Statutes
Title 10 - Governmental Procedures
Subtitle 13 - Protection of Information by Government Agencies
Section 10-1302 - Applicability Limitations
Section 10-1303 - Destruction of Records
Section 10-1304 - Security Measures
Section 10-1305 - Investigation and Notification on Breach of Security by System
Section 10-1306 - Preemption of Local Law
Section 10-1307 - Requirements for Notice to 1,000 or More Individuals
Section 10-1308 - Compliance With Federal Privacy Law Provisions Deemed Compliant With Subtitle