Maryland Cybersecurity Compliance: Laws, Requirements & What Businesses Must Do

Maryland's regulatory landscape for cybersecurity and data privacy is among the most complex in the country, driven by the state's unique position at the center of the federal defense and intelligence ecosystem. Businesses operating in Maryland must navigate a layered framework that includes state-specific data breach notification requirements, a newly enacted comprehensive consumer privacy law, and federal mandates that carry outsized importance for the state's dominant defense contracting sector.

The consequences of noncompliance are not theoretical. Maryland organizations have faced significant penalties, lost government contracts, and suffered reputational damage from cybersecurity failures. The history of data breaches in Maryland provides ample evidence that attackers target the state's businesses relentlessly, making compliance both a legal obligation and a practical necessity for survival.

Maryland's Primary Data Privacy & Cybersecurity Laws

Maryland Personal Information Protection Act (PIPA)

PIPA, codified in Maryland Commercial Law Sections 14-3501 through 14-3508, is the state's foundational data protection statute. It requires businesses that own or license personal information of Maryland residents to implement reasonable security procedures and practices to protect that information from unauthorized access, use, modification, or disclosure. PIPA also establishes the state's data breach notification requirements, which were strengthened by SB 169 in 2024 to require notification within 45 days of discovery.

Maryland Online Data Privacy Act (MODPA)

Signed into law in May 2024, the Maryland Online Data Privacy Act represents one of the most consumer-protective state privacy laws in the country. MODPA takes effect on October 1, 2025, and applies to businesses that control or process the personal data of at least 35,000 Maryland consumers, or that process data of at least 10,000 consumers and derive more than 20% of gross revenue from the sale of personal data. The law grants consumers the right to access, correct, delete, and obtain a copy of their personal data. Notably, MODPA prohibits the sale of sensitive data without explicit consent and restricts the collection of data beyond what is reasonably necessary for the disclosed purpose.

Maryland Consumer Protection Act

The Maryland Consumer Protection Act (CPA), codified in Maryland Commercial Law Title 13, provides the Attorney General with broad enforcement authority over unfair and deceptive trade practices, which can include misleading privacy policies or failure to protect consumer data as promised. Violations can result in civil penalties of up to $10,000 per violation, and the CPA provides a private right of action for injured consumers.

Data Breach Notification Requirements in Maryland

Maryland's breach notification law applies to any business that owns or licenses computerized personal information of Maryland residents. The key requirements under the amended PIPA include:

• Notification timeline: Affected individuals must be notified within 45 days of discovering the breach, following a reasonable investigation.

• Attorney General notification: If the breach affects 1,000 or more Maryland residents, the business must notify the Office of the Attorney General before or at the same time as notifying individuals.

• Content requirements: Notification must describe the breach, the types of information compromised, steps taken to address the breach, and contact information for the business.

• Covered data: Personal information includes names combined with Social Security numbers, driver's license numbers, financial account numbers with access credentials, health information, biometric data, and tax identification numbers.

• Safe harbors: Notification is not required if the business determines that the breach is unlikely to result in harm to the individual, but the business must document this determination.

Businesses should maintain an incident response plan that accounts for these requirements. Understanding managed IT security services can help organizations build the detection and response capabilities needed to meet the 45-day notification window.

Industry-Specific Compliance in Maryland

Defense Contractors — CMMC 2.0 and NIST 800-171

Maryland's defense contracting sector faces some of the most stringent cybersecurity requirements in any industry. The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework requires contractors handling Controlled Unclassified Information (CUI) to meet Level 2 certification, which maps to the 110 security controls in NIST Special Publication 800-171. Maryland is home to thousands of defense contractors, from major primes to small subcontractors, and noncompliance can result in loss of contract eligibility — effectively a business-ending outcome for firms that depend on government work.

The CMMC program requires third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) for Level 2 certification. Contractors must demonstrate implementation of controls covering access control, incident response, media protection, system and communications protection, and other domains. The timeline for full CMMC enforcement is phased, but Maryland contractors should be actively working toward compliance now.

Healthcare — HIPAA and Maryland-Specific Requirements

Healthcare organizations in Maryland must comply with the federal Health Insurance Portability and Accountability Act (HIPAA), including the Privacy Rule, Security Rule, and Breach Notification Rule. Given that Maryland is home to Johns Hopkins, MedStar Health, and the University of Maryland Medical System, the volume of protected health information processed in the state is enormous. Maryland's PIPA also covers health information, creating a dual notification obligation when healthcare data is breached. Organizations operating healthcare IT environments must ensure that their security controls satisfy both federal and state requirements simultaneously.

Financial Services — GLBA and Maryland Regulations

Financial institutions operating in Maryland must comply with the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, which requires a comprehensive information security program. The Maryland Commissioner of Financial Regulation also oversees state-chartered banks, credit unions, and other financial entities, and may impose additional cybersecurity requirements. The GLBA Safeguards Rule was updated in 2023 to require more specific technical controls including multi-factor authentication, encryption, and continuous monitoring.

Maryland Compliance Checklist for Businesses

• Conduct a data inventory: Identify all personal information your organization collects, processes, and stores about Maryland residents, including where it resides and who has access.

• Implement reasonable security measures: PIPA requires 'reasonable' security practices. This includes encryption, access controls, employee training, vulnerability management, and incident response planning.

• Prepare for MODPA compliance: If your organization meets the MODPA thresholds, implement data subject request processes, update privacy policies, conduct data protection assessments for high-risk processing, and minimize data collection to what is reasonably necessary.

• Develop an incident response plan: Document procedures for detecting, investigating, and reporting breaches within the 45-day notification window. Test the plan regularly through tabletop exercises.

• Review vendor contracts: Ensure that third-party service providers who handle personal information on your behalf maintain adequate security controls and will support your breach notification obligations.

• Meet industry-specific requirements: Defense contractors must pursue CMMC certification, healthcare organizations must comply with HIPAA, and financial institutions must satisfy GLBA requirements in addition to state law.

• Document everything: Maintain records of your security program, risk assessments, and compliance efforts. Documentation is critical for demonstrating compliance to regulators and defending against enforcement actions.

How Businesses Stay Compliant

Compliance is not a one-time project — it requires ongoing effort. Maryland's regulatory environment is evolving rapidly, with MODPA adding significant new obligations beginning in October 2025 and CMMC enforcement continuing to expand. Organizations should consider the following strategies:

First, designate a compliance owner. Whether it is a Chief Information Security Officer, a dedicated compliance manager, or an outsourced virtual CISO, someone must be accountable for tracking regulatory changes and ensuring the organization adapts. Second, conduct annual risk assessments to identify gaps between your current security posture and regulatory requirements. Third, invest in employee training — the majority of breaches still begin with human error, and Maryland's threat landscape demands that employees be prepared for sophisticated social engineering attacks.

For organizations that lack the internal resources to manage compliance independently, understanding what managed IT services provide can help determine whether outsourcing security monitoring, vulnerability management, and compliance support makes sense. Many small businesses in Maryland find that managed services provide a cost-effective path to meeting regulatory requirements without building a full internal security team.

Frequently Asked Questions

What is the Maryland Online Data Privacy Act (MODPA)?

MODPA is Maryland's comprehensive consumer data privacy law, signed in May 2024 and effective October 1, 2025. It grants consumers rights to access, correct, delete, and obtain copies of their personal data. It also restricts data collection to what is reasonably necessary, prohibits the sale of sensitive data without consent, and requires data protection assessments for high-risk processing activities.

Does PIPA apply to small businesses in Maryland?

Yes. PIPA applies to any business that owns or licenses personal information of Maryland residents, regardless of size. There is no small business exemption. Even sole proprietors who collect customer names and Social Security numbers or financial account information must implement reasonable security measures and comply with breach notification requirements.

How does CMMC 2.0 affect Maryland defense contractors?

CMMC 2.0 requires defense contractors handling Controlled Unclassified Information to achieve Level 2 certification, which aligns with the 110 controls in NIST SP 800-171. Maryland has one of the highest concentrations of affected contractors in the nation. Failure to achieve certification will result in ineligibility for contract awards, making this an existential compliance requirement for defense firms.

What are the penalties for noncompliance with Maryland data privacy laws?

Penalties vary by statute. Under the Maryland Consumer Protection Act, violations can result in fines of up to $10,000 per violation. PIPA violations are enforceable by the Attorney General, and MODPA will carry its own enforcement mechanisms when it takes effect. Additionally, noncompliant defense contractors risk losing their government contracts, which for many Maryland firms represents their entire revenue base.

Does Maryland require encryption of personal data?

While PIPA does not explicitly mandate encryption, it requires 'reasonable' security measures, and Maryland courts and regulators have increasingly treated encryption as a baseline expectation. The PIPA breach notification safe harbor applies when breached data is encrypted and the encryption key was not compromised, providing a strong practical incentive to encrypt all personal information at rest and in transit.

How does Maryland's privacy law compare to other states?

MODPA is considered one of the most consumer-protective state privacy laws in the country. Unlike many state privacy laws, it prohibits the sale of sensitive data outright without explicit consent, restricts data collection to what is necessary, and includes strong provisions around data minimization. It is more restrictive than Virginia's VCDPA or Colorado's CPA in several respects, though less comprehensive than the CPRA framework in California.