(a) In this subtitle the following words have the meanings indicated.
(b) “Encryption” means the protection of data in electronic or optical form, in storage or in transit, using a technology that:
(1) is certified to meet or exceed the level that has been adopted by the Federal Information Processing Standards issued by the National Institute of Standards and Technology; and
(2) renders such data indecipherable without an associated cryptographic key necessary to enable decryption of such data.
(c) (1) “Personal information” means an individual’s first name or first initial and last name, personal mark, or unique biometric or genetic print or image, in combination with one or more of the following data elements:
(i) a Social Security number;
(ii) a driver’s license number, state identification card number, or other individual identification number issued by a unit;
(iii) a passport number or other identification number issued by the United States government;
(iv) an Individual Taxpayer Identification Number; or
(v) a financial or other account number, a credit card number, or a debit card number that, in combination with any required security code, access code, or password, would permit access to an individual’s account.
(2) “Personal information” does not include a voter registration number.
(d) “Reasonable security procedures and practices” means data security procedures and practices developed, in good faith, and set forth in a written information security policy.
(e) “Records” means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form.
(f) “Unit” means:
(1) an executive agency, or a department, a board, a commission, an authority, a public institution of higher education, a unit or an instrumentality of the State; or
(2) a county, municipality, bi–county, regional, or multicounty agency, county board of education, public corporation or authority, or any other political subdivision of the State.