So, even though these are two different bills that were signed, because the text was identical it is considered one law.

H.B. 208 and S.B. 194 defines personal information as an individual's first name or initial and last name in combination with their unencrypted or unredacted Social Security number, driver's license number, taxpayer identification number, or financial account information in combination with access codes or passwords.

Interestingly, information under the protection of the Health Insurance Portability and Accountability Act (HIPAA) is not considered "personal information."

The new Maryland law contains a risk of harm threshold for when notification is required. A company must provide notice to individuals only if an investigation shows that "misuse of the individual's personal information has occurred or is reasonably likely to occur."

If a company determines that no notification is required it must retain information detailing its decision that the risk of harm threshold was not met for at least 3 years.

Besides just requiring breach notices, as most other state breach notice laws do, the new Maryland law also requires organizations to provide safeguards for personally identifiable information (PII).

Businesses that possess or destroy records with PII must take reasonable measures to prevent unauthorized access to that information.

And, as of January 1, 2009, businesses will also have to include these data protection requirements in their contracts with third party companies they use to maintain or destroy records.

I'm glad to see this law covers PII in paper form. Many significant incidents have occurred with PII on paper. However, the U.S. really needs a comprehensive federal data protection law to make protecting PII consistent throughout all the states and territories.