(a) In this subtitle the following words have the meanings indicated.
(b) (1) “Breach of the security of a system” means the unauthorized acquisition of personally identifiable information maintained by a public institution of higher education that creates a reasonable risk of harm to the individual whose personally identifiable information was subject to unauthorized acquisition.
(2) “Breach of the security of a system” does not include:
(i) the good faith acquisition of personally identifiable information by an employee or agent of a public institution of higher education for the purposes of the public institution of higher education, provided that the personally identifiable information is not used or subject to further unauthorized disclosure; or
(ii) personally identifiable information that was secured by encryption or redacted and for which the encryption key has not been compromised or disclosed.
(c) “Encryption” means the protection of data in electronic or optical form, in storage or in transit, using a technology that:
(1) is certified to meet or exceed the level that has been adopted by the Federal Information Processing Standards issued by the National Institute of Standards and Technology; and
(2) renders such data indecipherable without an associated cryptographic key necessary to enable decryption of such data.
(d) “Individual” means a natural person.
(e) “Legitimate basis” means a public institution of higher education has a contractual need, public interest purpose, business purpose, or legal obligation for processing or that the individual has consented to the processing of the individual’s personally identifiable information by the public institution of higher education.
(f) (1) “Personally identifiable information” means any information that, taken alone or in combination with other information, enables the identification of an individual, including:
(i) a full name;
(ii) a Social Security number;
(iii) a driver’s license number, state identification card number, or other individual identification number;
(iv) a passport number;
(v) biometric information including an individual’s physiological, biological, or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity;
(vi) geolocation data;
(vii) Internet or other electronic network activity information, including browsing history, search history, and information regarding an individual’s interaction with an Internet website, application, or advertisement; and
(viii) a financial or other account number, a credit card number, or a debit card number that, in combination with any required security code, access code, or password, would permit access to an individual’s account.
(2) “Personally identifiable information” does not include data rendered anonymous through the use of techniques, including obfuscation, delegation and redaction, and encryption, so that the individual is no longer identifiable.
(g) “Processing” means any operation or set of operations that is performed on personally identifiable information or on a set of personally identifiable information, whether or not by automated means, including collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
(h) “Public institution of higher education” means:
(1) the constituent institutions of the University System of Maryland and the University of Maryland Center for Environmental Science;
(2) Morgan State University;
(3) St. Mary’s College of Maryland; and
(4) a community college established under Title 16 of the Education Article.
(i) “Reasonable security procedures and practices” means security protections that align with the current standard of care within similar commercial environments and with applicable State and federal laws.
(j) “Records” means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form.
(k) “System” means an electronic or other physical medium maintained or administered by a public institution of higher education and used on a procedural basis to store information in the ordinary course of the business of the public institution of higher education.