SPARTAN Cyber Defense
Schedule Review

Maryland & Federal Law

The Cybersecurity Laws
That Apply to Your
Maryland Business.

Maryland has enacted some of the most significant state-level cybersecurity and privacy laws in the country. Combined with federal obligations, most small businesses — financial firms, accounting practices, medical offices, and others — face multiple overlapping compliance requirements they may not fully know about.
Assess My Compliance Gap
View the Laws

Laws Covered on This Page

PIPA — Maryland Personal Information Protection ActAll Maryland businesses that hold personal data
MODPA — Maryland Online Data Privacy ActBusinesses collecting consumer data at scale · Effective Oct 2025
MD Insurance Data Security Law (SB 207)Insurance carriers and managed care organizations
HIPAA — Health Information Portability & AccountabilityHealthcare providers and their business associates
GLBA — Gramm-Leach-Bliley ActFinancial institutions and advisors
CMMC 2.0 Level 1Defense contractors handling federal contract information

For informational purposes only. This page provides plain-language summaries of cybersecurity and privacy laws that may affect Maryland businesses. It is not legal advice. Laws and enforcement guidance change — consult a qualified attorney to understand your specific obligations. Sources include the Maryland Office of the Attorney General, Maryland General Assembly, and U.S. federal agencies.

Maryland State Laws

Maryland-Specific
Compliance Requirements

These laws are enacted by the Maryland General Assembly and enforced by the Maryland Office of the Attorney General or other state regulators. They apply specifically to businesses operating in — or serving residents of — Maryland.

Maryland State Law
PIPA
Maryland Personal Information Protection Act
Md. Code Ann., Com. Law § 14-3501 et seq.
Original: 2008 · Amended: 2019, 2022
Applies To
ALL BUSINESSESFINANCIALCPA / ACCOUNTINGMEDICALANY SMALL BUSINESS

The Foundation of Maryland Data Security Law

PIPA is Maryland’s core cybersecurity statute. It applies to any business — regardless of size or location — that owns, licenses, or maintains personal information about Maryland residents. It requires businesses to implement reasonable security measures to protect that information, and to notify affected individuals and the Maryland Attorney General if a breach occurs. Violations are classified as unfair or deceptive trade practices under the Maryland Consumer Protection Act.

Reasonable Security Measures Must implement and maintain security procedures appropriate to the nature and size of the business and the type of data held.
Breach Notification — Individuals Notify affected Maryland residents within 45 days of discovering a breach, unless the business determines there is no likelihood of misuse.
Breach Notification — Attorney General If more than 1,000 Maryland residents are affected, the Maryland Attorney General must also be notified prior to sending individual notices.
Service Provider Contracts Third-party vendors given access to personal data must be contractually required to maintain reasonable security practices.
Data Destruction When destroying records containing personal information, businesses must take reasonable steps to prevent unauthorized access.
Genetic & Biometric Data 2022 amendments expanded personal information to include genetic data, biometric data, health insurance policy numbers, and passport numbers.

Penalties: Civil penalties beginning at $1,000 per first violation and $5,000 per subsequent violation. Violations are treated as deceptive trade practices under the Consumer Protection Act, which can lead to additional civil and criminal consequences. The AG may also pursue injunctive relief. Source: Maryland Office of the Attorney General

Maryland State Law
MODPA
Maryland Online Data Privacy Act
Senate Bill 541 (2024)
Signed: May 2024 · Effective: October 1, 2025 · Enforced: April 1, 2026
Applies To
DATA CONTROLLERSBUSINESSES TARGETING MD RESIDENTSE-COMMERCESAAS / TECH
Maryland’s Comprehensive Consumer Privacy Law

Signed by Governor Moore in May 2024, MODPA makes Maryland the 18th state with a comprehensive consumer privacy law — and one of the strictest in the nation. It applies to any business that processes personal data of 35,000 or more Maryland consumers annually, or derives 20% or more of revenue from selling personal data of 10,000+ consumers. MODPA is broader and stricter than many similar state laws. Enforcement by the Maryland Attorney General began April 1, 2026.

Consumer Rights Maryland residents may access, correct, delete, and obtain a portable copy of their personal data, and opt out of its sale or use for targeted advertising.
Sensitive Data Restrictions Prohibits collecting or sharing sensitive data (health, financial, precise location, genetic, children’s data) unless strictly necessary for a requested service.
Privacy Policy Required Must provide a clear, accessible privacy policy disclosing data collection practices, third-party sharing, and consumer rights.
Data Protection Assessments Required for processing activities that present heightened risk of harm to consumers — must be conducted and documented.
Children’s Data Prohibits selling personal data of individuals under 18 without affirmative consent. Businesses must implement age-monitoring processes.
Universal Opt-Out Mechanisms Must honor browser-level opt-out signals that tell websites not to collect tracking data.

Penalties: Up to $10,000 per violation and up to $25,000 per subsequent violation, enforced exclusively by the Maryland Attorney General’s Office. No private right of action — consumers cannot sue directly. Criminal proceedings are possible for willful violations. Source: Maryland SB 541 / Maryland Office of the Attorney General

Maryland State Law
SB 207
Maryland Insurance Data Security Law
Md. Code, Insurance, Title 33
Enacted: 2022 · Effective: October 1, 2022 · Full compliance: October 2024
Applies To
Insurance Carriers HMOs Third-Party Administrators
Cybersecurity Requirements for Insurance Entities

Based on the National Association of Insurance Commissioners (NAIC) model law, SB 207 requires Maryland-domiciled insurance carriers — including health maintenance organizations and third-party administrators — to develop, implement, and maintain a comprehensive Written Information Security Program (WISP) and report significant cybersecurity events to the Maryland Insurance Administration (MIA) within three business days.

Written Information Security Program (WISP) Must develop and maintain a comprehensive WISP with administrative, technical, and physical safeguards appropriate to the carrier’s size and risk profile.
Annual Board Reporting Board of Directors must receive an annual report on the status of the WISP and compliance with its requirements.
Cybersecurity Event Notification Must notify the Maryland Insurance Commissioner within 3 business days of determining a qualifying cybersecurity event has occurred.
Annual Compliance Certification Must submit annual certification of compliance with the law’s requirements to the Maryland Insurance Commissioner.
Service Provider Requirements Must ensure service providers implement appropriate security safeguards; compliance required by October 2024.
Incident Response Plan Must establish and maintain a documented plan for responding to cybersecurity events, including investigation and remediation steps.

Penalties: The Maryland Insurance Commissioner may investigate violations and issue fines of between $100 and $125,000 per violation. Source: Maryland Insurance Administration

Federal Law

Federal Regulations That
Apply in Maryland

In addition to state law, most Maryland businesses in regulated industries face overlapping federal compliance obligations. In many cases, compliance with a federal law also satisfies Maryland state requirements — but not always.

HIPAA

Health Insurance Portability and Accountability Act · Privacy, Security & Breach Notification Rules

Who it applies to:
Healthcare providers, health plans, healthcare clearinghouses, and their business associates — including vendors who handle protected health information (PHI) on their behalf.
Key requirements for Maryland medical offices: Administrative, physical, and technical safeguards for PHI · Written security policies and risk analysis · Staff training on privacy and security · Business Associate Agreements (BAAs) with vendors · Breach notification within 60 days to HHS and affected individuals · Annual security risk assessments

GLBA

Gramm-Leach-Bliley Act · Safeguards Rule (FTC 16 CFR Part 314)
Who it applies to:
Financial institutions — including investment advisors, mortgage brokers, CPAs offering financial services, insurance companies, and any business that collects nonpublic financial information from consumers.
Key requirements for Maryland financial and CPA firms: Written information security program (WISP) · Designated security coordinator · Risk assessment and annual review · Employee training on data protection · Vendor oversight and contractual safeguards · Multi-factor authentication · Encryption of customer data · Incident response plan · Note: IRS also requires tax preparers to maintain a WISP under the Safeguards Rule.

CMMC

Cybersecurity Maturity Model Certification 2.0 · Level 1 · DoD / DFARS
Who it applies to:
Any business — including manufacturers, engineering firms, IT providers, and service companies — that handles Federal Contract Information (FCI) under a Department of Defense contract or subcontract.
Key requirements for Maryland defense contractors: 17 foundational cybersecurity practices drawn from FAR 52.204-21 · Annual self-assessment and affirmation · Access control and user identification · Media protection and configuration management · System and communications protection · Written documentation of compliance · Incident reporting to DoD · Misrepresentation of compliance carries False Claims Act exposure

PCI DSS

Payment Card Industry Data Security Standard · v4.0
Who it applies to:
Any Maryland business that accepts, processes, stores, or transmits credit or debit card payments — regardless of size or transaction volume.
Key requirements: Secure network configuration · Cardholder data encryption · Vulnerability management · Access control · Regular monitoring and testing · Information security policy · Annual self-assessment questionnaire (SAQ) for smaller merchants · Penalties imposed by card brands — not a government regulator

FTC Act

Federal Trade Commission Act · Section 5 — Unfair or Deceptive Practices
Who it applies to:
Virtually all U.S. businesses. The FTC has used Section 5 to bring enforcement actions against companies whose data security practices are deemed unfair or deceptive to consumers.
What this means in practice: Misrepresenting security practices in a privacy policy is a federal violation · Failure to implement “reasonable” security can be considered an unfair practice · The FTC has pursued enforcement actions against companies of all sizes · Complements Maryland’s PIPA, which also classifies violations as deceptive trade practices

NIST CSF

NIST Cybersecurity Framework · Version 2.0 (2024)
Who it applies to:
Not legally mandatory for most private businesses, but referenced by the Maryland Cybersecurity Council as the preferred framework for assessing and improving security posture across all sectors.
Why it matters in Maryland: Maryland state agencies are assessed against NIST frameworks · NIST alignment helps demonstrate “reasonable security” under PIPA · Required for federal contractors (NIST SP 800-171 under DFARS) · Widely used as a benchmark by cyber insurers during policy underwriting

At a Glance

Which Laws Apply
to Your Business?

This matrix provides a general overview. Your specific obligations depend on your business model, the data you hold, and your clients’ industries. A compliance assessment will give you a definitive answer.

Law / Regulation Financial Firms CPA / Accounting Medical Offices Defense Contractors Any Small Business
PIPA (Maryland) ✓ Yes ✓ Yes ✓ Yes ✓ Yes ✓ Yes
MODPA (Maryland) ⚠ Likely ⚠ Likely ⚠ Likely ⚠ Likely ⚠ Check threshold
GLBA Safeguards Rule ✓ Yes ✓ Yes (tax prep) — Not typically — Not typically ⚠ If financial services
HIPAA — Not typically — Not typically ✓ Yes — Not typically ⚠ If handling PHI
CMMC 2.0 Level 1 — Not typically — Not typically — Not typically ✓ Yes (if DoD FCI) ⚠ If DoD contract
MD Insurance Law (SB 207) — Not typically — Not typically — Not typically — Not typically ⚠ If insurance carrier
PCI DSS ⚠ If card payments ⚠ If card payments ⚠ If card payments ⚠ If card payments ⚠ If card payments
FTC Act (Section 5) ✓ Yes ✓ Yes ✓ Yes ✓ Yes ✓ Yes
NIST CSF (voluntary) ✓ Recommended ✓ Recommended ✓ Recommended ✓ Recommended ✓ Recommended

Legislative History

How Maryland’s Cybersecurity
Law Has Evolved

Maryland has steadily strengthened its cybersecurity legal framework since 2008. Understanding this trajectory helps businesses anticipate where regulation is heading.

2008
January
State Law
PIPA Enacted — Maryland’s First Data Breach Notification Law

The Maryland Personal Information Protection Act established the state’s foundational data security requirement — mandating reasonable security practices and breach notification for any business holding Maryland residents’ personal information.

2015
Ongoing
State Initiative
Maryland Cybersecurity Council Chartered

The Maryland Cybersecurity Council was established to assess cyber risk across the state and advise on policy. It issues biennial reports that directly inform new legislation. Its 2025 report — citing over 1,800 confirmed breaches — is driving the next wave of requirements.

2019
October
PIPA Amendment
PIPA Expanded to Cover Businesses That “Maintain” Data

House Bill 1154 expanded PIPA’s reach to include businesses that maintain — not just own or license — personal information. This brought third-party service providers and data processors squarely within the law’s scope.

2022
October
Major Update
PIPA Strengthened — Shorter Notification Window, Expanded Data Categories

HB 962 reduced breach notification time from 45 days after investigation conclusion to 45 days after discovery. It also added genetic information, biometric data, and health insurance policy numbers to the definition of personal information. A presumption of notification was established — notice is now required unless the business can demonstrate no misuse risk.

2022
October
New Law
Maryland Insurance Data Security Law (SB 207) Enacted

Insurance carriers operating in Maryland were required to implement comprehensive Written Information Security Programs (WISPs), report cybersecurity events to the Insurance Commissioner within 3 business days, and submit annual compliance certifications.

2024
May
Landmark Law
MODPA Signed — One of the Nation’s Strongest Consumer Privacy Laws

Governor Moore signed the Maryland Online Data Privacy Act, making Maryland the 18th state with comprehensive consumer privacy legislation — and one of the strictest. MODPA prohibits selling sensitive consumer data regardless of consent, mandates data protection assessments, and gives Maryland consumers robust rights over their personal information.

2025
October
Now Active
MODPA Takes Effect — AG Enforcement Begins April 2026

The Maryland Online Data Privacy Act became effective October 1, 2025. The Maryland Attorney General began enforcement on April 1, 2026. Businesses that had not yet assessed their compliance posture faced immediate exposure.

2025
July
Report Released
Maryland Cybersecurity Council Biennial Report — New Legislative Direction Signaled

The Council’s July 2025 report identified five critical risk areas: utilities, healthcare, legacy IT systems, talent shortages, and consumer privacy. The report cited over 1,800 confirmed breaches nationwide since its previous report and is expected to drive additional legislation affecting private-sector businesses in Maryland.

Don’t Navigate This Alone

Know Which Laws Apply.
Know What to Do Next.

A Spartan Cyber Risk Review maps your current security posture against the regulations that apply to your specific business — and gives you a clear, prioritized plan to close the gaps.
Schedule a Compliance Review
View Our Services