PK Law 2018 Super Lawyers and Rising Stars!

PK Law is pleased to announce that 22 lawyers have been named to the 2018 Super Lawyers Maryland List.

Congratulations to the Following PK Law Attorneys on their selection to the 2018 Super Lawyer Maryland List (Top 5% of MD Attorneys)

*Steven Allen, Business Litigation
James Benjamin Jr., Environmental Litigation
David Burkhouse, Employment & Labor
Joan Cerniglia-Lowensen, Medical Malpractice Defense
Gregory Kirby, Medical Malpractice Defense
Patricia McHugh Lambert, Business Litigation
Michael Leaf, Real Estate
Natalie Magdeburger, Medical Malpractice Defense
Mairi Pat Maguire, Medical Malpractice Defense
Mark Maneche, Business Litigation
David Pessin, Estate & Probate
Lisa Settles, Employment Litigation
**Catherine Steiner, Medical Malpractice Defense
Drake Zaharris, Business Litigation

*Top 100 MD Lawyers     **Top 50 MD Women Lawyers

And 2018 Super Lawyer Maryland Rising Stars List

Brian Cathell, Medical Malpractice Defense
Chantelle Custodio, Medical Malpractice Defense
Cheryl Jones, Estate & Probate
Kayleigh Keilty, Civil Litigation Defense
Adam Konstas, Schools & Education
Talley Kovacs, General Litigation
Matthew Nelson, Medical Malpractice Defense
Aidan Smith, General Litigation

We congratulate these attorneys as this shows their dedication to PK Law clients and professionalism within the legal field.



About Pessin Katz Law, P.A. (PK Law)
PK Law is a leading Maryland law firm with more than 60 attorneys, paralegals and law clerks. The firm’s main office is located in Towson with offices in Columbia and Bel Air. PK Law’s core practice areas include Corporate and Real Estate, Education Law, Employment Law, Estate Planning and Elder Law, Litigation and Medical Malpractice Defense.


Businesses Take Note: Updates to Maryland’s Data Breach Notification Law Take Effect January 1, 2018

By:  James R. Benjamin Jr., Esquire

What are businesses required to do when personal information they have collected is breached?  Most states have breach notification laws with varying degrees of security and notice requirements.  With high profile data breaches continuing to top headlines, legislators are beginning to make these laws more strict. 

Maryland’s legislature is no exception.  On January 1, 2018, several amendments to the Maryland Personal Information Protection Act, (“MPIPA”) MD Code Ann., Com. Law §14-3501 et seq. will go into effect.  Businesses collecting personal information should take note and be prepared. 

Under the law as amended, the definition of “personal information” under §14-3501 has been greatly expanded. The current definition includes information such as first and last name, social security number, driver’s license numbers, and bank account numbers/ passwords. However, in light of amendments to the law, the definition of “personal information” will be more expansive and will also include the following:

  • passport numbers
  • health insurance policy numbers
  • fingerprints/ retina scans or other biometric data
  • any mental or physical health information (generally anything covered by HIPAA)
  • usernames/passwords that give access to a person’s e-mail address

In addition, changes have been made to allow notification of a data breach to be made within a set period of time.  Section 14-3504(b) of MPIPA currently requires that a business conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information of the party has been or will be misused as a result of that breach.  Should the business determine it is reasonably likely the information has been or will be misused, the law currently requires the business to notify the party “as soon as reasonably practicable.”  The law, as amended, will require a business to notify the party owning the data no later than forty-five (45) days after the conclusion of any investigation conducted by the business in which it determined the breach has created a likelihood that the personal information has been or will be misused.  Although not required in MPIPA, businesses should also be sure to provide prompt notice of any data breach to their insurance carrier.

Also, in light of the addition of usernames/passwords giving access to a person’s e-mail address to what is considered personal information under MPIPA, changes have been made under MPIPA to allow businesses to provide alternative notice in certain circumstances.  As the law currently stands, §14-3504(e) generally requires that notice of a data breach be given by written notice sent to the most recent address on record, by telephone, or by e-mail if the business has expressly consented or primarily conducts business through the internet.  However, under §14-3504(i) as amended, in the event of a data breach involving only personal information regarding a person’s e-mail address/password, a business may comply with MPIPA by providing notification in electronic or other form that directs the party whose personal information has been breached promptly to change their usernames, passwords, or security questions or take other appropriate steps to protect the e-mail account.  It should be noted that, generally, such notification cannot be given to the party by sending notification by e-mail to the e-mail account affected by the breach.  That said, however, such notification “may be given by a clear and conspicuous notice delivered to the party online while the party is connected to the affected e-mail account from an internet protocol address or online location from which the business knows the individual customarily accesses the account.”

Lastly, changes will occur to §14-3502 of MPIPA. This section currently governs the destruction of records and currently requires that when a business destroys a customer’s records that contain covered personal information, it must take reasonable steps to protect against unauthorized access or use of that information by others. The entity must take into account: (1) the sensitivity of the records, (2) the nature and size of the business and operations, (3) the costs and benefits of different destruction methods, and (4) available technology.  Under the law, as amended, businesses will be required to also take reasonable care to protect an employee’s or former employee’s personal information.  Importantly, this amendment expands the scope of this section outside the realm of consumer protection alone to include protection of employees.

Data breach security and notification laws in Maryland and throughout the country are evolving and will continue to do so.  It should be noted that the National Association of Insurance Commissioners’ (NAIC) recent passage of the Insurance Data Security Model Law will provide many states with guidance on specific security measure requirements.  Accordingly, it is of paramount importance that businesses keep abreast of compliance and notification requirements in this area.

James R. Benjamin Jr. has substantial experience representing and advising insurers and business entities in a wide range of matters including lead paint compliance, abatement and notice requirements and minority-owned and women-owned businesses (MBEs and WBEs) certification, procurement, structuring and joint venturing and teaming arrangements. Mr. Benjamin can be reached at (410) 339-5787or

NAIC’s Model Law Opens Door for State Data Security Standards

By:  Kambon R. Williams, Esquire

There appears to be no stopping the continued breathtaking pace of cyberattacks as we head into 2018.  In 2017, the Equifax data breach exposed the nonpublic information of over 140 million consumers; there were allegations that Uber hired hackers to conceal a data breach involving over 57 million rider accounts; and Yahoo confirmed that its 2013 data breach (which was initially reported in 2016 to involve 1 billion accounts), actually involved every one of the 3 billion accounts managed by the company.  Amazingly, these events have not prompted a significant push from Congress for national data security standards.   However, following New York’s lead, state legislators and regulators (including those in Maryland) now appear ready to take up the mantle with the Insurance Data Security Model Law (“Model Law”) recently adopted by the National Association of Insurance Commissioners (“NAIC”).  NAIC adopted the Model Law in October 2017 to establish standards for data security and investigation for the insurers or “licensees” its members regulate, but the Model Law may have broader implications for many other businesses as well.

There have been reports that both the House Financial Services Committee and Senate Commerce Committee are finally considering the issue of data security standards given recent events, but, given the trend of cyberattacks in recent years, the New York State Department of Financial Services (“DFS”) (which has regulatory jurisdiction over banks, insurance companies, and other financial services institutions in New York), was not content to wait and enacted 23 NYCRR Part 500 on March 1, 2017.  New York’s cybersecurity regulation was the first in the nation to mandate protection by banks, insurers and other financial institutions within DFS’ regulatory jurisdiction of their customer information from cyberattacks and has become the “gold standard” for the nation’s financial services industry.

Not surprisingly, NAIC looked to New York’s cybersecurity regulation as a guiding star for its own efforts to draft the comprehensive data security standards for insurers provided in the Model Law.  NAIC’s initial drafts of the Model Law contained some important distinctions (such as the need to provide an annual report summarizing the covered entities’ risk assessments rather than an annual certification or the need to provide notice of cybersecurity events to not just the insurance commissioner but also independent producers), but a drafter’s note in the most recent Version 6 of the Model Law provides that compliance with New York’s cybersecurity regulations also constitutes compliance with the Model Law. 

As with New York’s cybersecurity regulations, NAIC’s Model Law requires, among other things, the following:

  • Creation of a comprehensive Information Security Program based on a risk assessment that identifies risks to the business, including its use of Third-Party Service Providers, and determination of which security measures are appropriate to implement;
  • Designation of an individual to oversee the Information Security Program;
  • Oversight by the Board of Directors;
  • Oversight of Third-Party Service Provider agreements;
  • Establishment of an incident response plan;
  • Investigation and notification of Cybersecurity Events within 72 hours from a determination that a reportable Cybersecurity Event has occurred; and
  • Providing an annual certification of compliance to the Insurance Commissioner by February 15 of each year.

In accord with New York’s cybersecurity regulation, the Model Law includes exemptions from compliance for licensees with fewer than 10 employees or for employees or agents of licensees that are otherwise protected by the information security program of the licensee.  However, the Model Law includes far fewer exemptions than found under New York’s cybersecurity regulation and is noticeably missing the particular exemptions New York has provided for covered entities with less than $5,000,000 in gross annual revenue in each of the last three fiscal years or less than $10,000,000 in year-end total assets. 

NAIC’s move towards conformity with New York’s cybersecurity regulations has pleased some commentators hoping to establish a single data security standard for insurers, but Version 6 still does not include the “exclusive standards for data security applicable to licensees in the state” language that some were advocating for NAIC to include.  Many of these commentators express concern about a “patchwork” regulatory environment and highlight that company wide data security programs generally do not vary from state to state because the security risks do not vary from state to state. NAIC has clearly taken efforts to address those concerns, but, to the extent the Model Law incorporates the varying breach notification laws of the adopting states, complete uniformity was likely always an elusive goal. 

Following NAIC’s adoption of the Model Law, insurance commissioners from each state are expected to work with state legislators for broader adoption.  NAIC pointed out in its recent Fall National Meeting that the Treasury Department’s October 2017 report on the asset management and insurance industries includes a recommendation that Congress enact a national insurance cybersecurity law if states fail to enact uniform cybersecurity laws within five years.  Thus, it is anticipated that the Model Law will soon be introduced for enactment around the nation.  The individual political environments of each state is beyond the scope of this article but it would not be unreasonable to bet that most states will choose enactment over being subjected to a superseding federal law.  Hence, the Model Law is something that businesses should be paying attention to now.

Unlike New York’s cybersecurity regulations, which apply to not only insurers but also a wider array of financial service institutions, the enacted Model Law will likely only apply to insurance licensees, but there are still broader implications for other businesses.  The law applied by courts for lawsuits brought by individuals impacted by data breaches is evolving but it is possible that many courts may begin to look to the data security standards of the Model Law as the “standard of care” for all businesses.  Moreover, insurers lacking sufficient actuarial data to properly assess their exposure from new cybersecurity policies will likely start using things like adherence to data security standards, such as those in the Model Law, as a measuring stick for underwriting.  That may force many businesses to conform to those standards to obtain coverage or to avoid costly premiums.

Finally, state legislators may find it impractical to have breach notification laws that generally apply to all businesses alongside data security standards that only apply to insurance licensees and may enlarge the scope of the Model Law to cover more businesses or may incorporate the data security standards of the Model Law into the breach notification laws.  Section 14-3503(a) of the Maryland Personal Information Protection Act (Maryland’s breach notification statute) already requires Maryland businesses to “implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information owned or licensed and the nature and size of the business and its operations.”  The consideration of NAIC’s Model Law will provide Maryland legislators with a perfect opportunity to more precisely describe those “reasonable security procedures and practices” as NAIC has done the work for them. 

That being so, it behooves all businesses, including those in Maryland, to become familiar with the requirements of the Model Law now so that an objective assessment of the impact can be determined and the costs and administrative burdens of any future compliance can be smoothly rolled into existing budgets.

Kambon “Kam” Williams represents insurers in administrative, regulatory, general tort and flood actions.  He has extensive experience in complex commercial litigation, state and federal mass tort/class actions and a number of federal multi-district class actions.  Kam’s cybersecurity litigation experience includes serving as chief architect and lead counsel in Bert Glaser v. AT&T, Inc. et al., Case No. 1:12-cv-00166 and Laura Maguire et al. v. Facebook, Inc., Case No. 5:12-cv-00807 both of which were class action suits involving, among other issues, whether any cyber liability insurance carried by any potential defendant could be triggered by the alleged statutory privacy and wiretap violations.  Kam regularly monitors cyber liability issues, primarily in the insurance field context.  He can be reached at 410-769-6142 or

Are You Ready For A DHS Visit? Top Five Things Schools Need to Know NOW

By:  Jennifer Ciarrocchi, Esquire

There have been few occasions in recent history when immigration has been such a hot topic.  The current administration has directed Immigration and Customs Enforcement (ICE) to increase enforcement efforts against removable aliens, including the hiring of more enforcement agents.  As enforcement efforts grow, schools must be prepared for the possibility of campus visits from federal immigration enforcement officials.  While the amount of notice an institution may have prior to a site visit will inevitably vary, schools should take action now to become informed about their obligations to provide documentation to federal officials, and to develop standard procedures for handling requests for access to documents and students themselves. 

  1. Know Your Agency

The Department of Homeland Security (DHS) charges ICE with apprehending and removing individuals who are unlawfully present in the United States.  It is most likely that a campus visit would be from ICE agents, although Customs and Border Protection (CBP) may also seek student information by visiting school campuses.  It is important to recognize that ICE and CBP officers’ enforcement powers stem from civil, and not criminal, authority.  Therefore, if an ICE or CBP officer presents a warrant, it is most likely an administrative warrant, which is distinct from a court-ordered warrant used in criminal law enforcement. 

  1. Know Your FERPA

The Family Educational Rights and Privacy Act (FERPA), which applies to public schools and state or local education agencies receiving federal education funding, prohibits the release of a student’s education records without prior consent.  If an ICE officer requests student education records that fall under FERPA, there is no clear exception authorizing the release of this information merely because of the source and nature of the request.

  1. . . .And Your FERPA Exceptions

For international students on F-1, J-1 or M visas, there are specific requirements for schools to provide certain information upon request from ICE.  FERPA permits schools to comply with this type of information request; however, the DHS regulations requiring schools to comply list specific categories of information that must be provided.  Schools must be familiar with these categories to avoid inadvertently violating FERPA by responding to an overly broad request for information.  Additionally, ICE’s requests for information must be made to the school’s Designated School Official (“DSO”).  A request made to another school administrator does not meet the FERPA exception. 

  1. Know Your Warrants

FERPA also provides that schools must comply with judicially-issued warrants and subpoenas for student records that would otherwise be entitled to FERPA protection.  However, as noted above, ICE frequently presents administrative warrants requesting information.  The FERPA warrant exception does not apply to administrative warrants, which are not court-ordered.  Therefore, a school cannot provide confidential education records requested by an administrative warrant without running afoul of FERPA.

  1. Develop Training Procedures and Clear Policies That Involve Legal Counsel

Recognize the fact that a campus visit from an ICE officer may seem frightening to staff, and as noted above, there are many factors to consider when determining how to proceed.  Therefore, it is crucial that colleges develop standard procedures and train staff on how to respond to an ICE visit.  These procedures should include a clear chain of notification and command, under which all requests for information, including all documentation and warrants provided by the ICE officer, are immediately sent to legal counsel who can determine whether and how to comply.  A school’s procedures should expressly prohibit personnel from providing any information whatsoever prior to receiving instructions from legal counsel. 

Most importantly, schools must ensure that there is open communication and coordination between administrators, international student offices, and legal counsel.  Balancing the need to comply with immigration law and FERPA while ensuring that students feel secure on campus and that school operations are not unnecessarily disrupted may seem daunting.  Schools can put themselves in the best position possible to respond to these competing interests by being proactive in developing guidance, training and procedures for DHS visits. 

Jennifer Ciarrocchi is an Associate in PK Law’s Education, Labor and Employment Group where she represents local school boards, superintendents, colleges, and private sector employers in sexual harassment, employment discrimination, substance abuse, privacy, employment contracts, special education, and Title IX matters.  Jennifer also has more than five years of experience in immigration law.  Her current practice includes advising colleges about immigration laws that impact their student body and staff.  She is a member of the NAFSA: Association of International Educators.  Jennifer can be reached at 410-938-8709 or

Paid Sick Leave Legislation Appears Inevitable for Maryland Businesses

By: Andrew Scott, Esquire

Last legislative session the Maryland General Assembly passed the Maryland Healthy Working Families Act (HB1/SB230) (“the Act”), which required employers with 15 or more employees to provide paid sick and safe leave. Although Governor Hogan later vetoed the Act, the Act had passed with enough votes to override the Governor’s veto, leading many to speculate that the legislature would override the Governor’s veto at the beginning of the new legislative session in January 2018. But the Act passed the Senate with exactly the number of votes needed for an override, meaning that a defection of even one senator could result in the inability to override the Governor’s veto.

In recent days, at least one Democratic delegate who originally voted for the Act has publicly expressed concerns about the Act’s impact on small businesses. Although this delegate’s potential defection would not affect the ability of both the Senate and the House of Delegates to override the veto, the delegate’s break from party ranks has caused speculation as to whether the political will to override the veto is eroding.

To further complicate things, Governor Hogan recently issued an emergency compromise bill which will be filed on the first day of the upcoming legislative session. Under that bill, known as the Paid Leave Compromise Act of 2018, businesses with 25 or more employees will be required to offer paid leave to their employees by the year 2020, but in order to give businesses time to prepare, the benefits would be phased in, starting in 2018 for businesses with 50 or more employees. Governor Hogan has also indicated that he will introduce a Small Business Relief Tax Credit, which provides tax credits to businesses with fewer than 50 employees that provide paid leave benefits to their employees.

In light of the uncertainty as to whether the Governor’s veto of the Act will be overridden, employers should be preparing for implementation of paid sick leave legislation in order to avoid costly compliance issues should legislation take effect early in 2018.

Employers should be comparing their existing paid leave policies, if any, to the requirements of the Act. The general requirements of the Act may be found HERE.

  1. Employers should be ensuring that their time keeping systems have the capability of tracking the accrual of paid leave.
  2. Employers should be ensuring that existing leave policies allow for the use of paid leave in all the situations contemplated by the Act.

Employers who do not currently have an existing paid leave policy should be developing one in case implementation becomes necessary early next year.

Andrew Scott is a Member of PK Law and part of the firm’s Labor and Employment Group. He represents private sector employers and public schools before federal and state courts, federal and state civil rights agencies, and the Maryland Office of Administrative Hearings on a variety of matters, including employment discrimination litigation, collective bargaining, teacher and student discipline, construction and procurement, and wage and hour claims. Mr. Scott also advises clients on the design and implementation of employment agreements, employee handbooks, policies and procedures.