Maryland’s 3 New Cybersecurity Laws Strengthen its Standing to be the ‘Cyber Capital of America’

Click here to listen to this article via the BreachRx Blogcast

In May 2022, Maryland Governor Larry Hogan signed three bills into law to “further strengthen Maryland’s standing as the cyber capital of America.”

Together, these new laws solidify the state’s Office of Security Management and the position of state chief information security officer (SB812), introduce a cybersecurity preparedness unit for local governments (SB754), and establish cybersecurity reporting requirements for water and sewer systems as well as a plan to upgrade legacy security systems (HB1205).

While these laws will have the biggest impact within the state, they do have implications beyond Maryland’s borders, making it important to take note of what’s required.

Who is Subject to Maryland’s Cybersecurity Laws

Maryland’s new cybersecurity laws focus on local government offices and agencies within the state, as well as any public or private company that operates water or sewer systems in the state. 

Water and sewer systems that serve at least 10,000 customers and receive financial support from the state are subject to additional requirements, including conducting cybersecurity vulnerability assessments and submitting cybersecurity plans to the state. However, HB1205 includes exemptions from these additional requirements for 10 institutions: 

• The Maryland Port Administration
• The University System of Maryland
• St. Mary’s College of Maryland
• Morgan State University
• The Maryland Stadium Authority
• Baltimore City Community College
• The State Board of Elections
• The Office of the Attorney General
• The Comptroller
• The State Treasurer

Similarly, SB812 includes exemptions from supervision by the Office of Security Management for activities related to the purchase, lease, or rental of information technology by public higher education institutions if it’s solely for academic or research purposes. The law specifically names the same six institutions that also receive exemptions under HB1205 as well as the legislative branch of state government, the judicial branch of state government, the office of the attorney general, the comptroller, and the state treasurer.

How Maryland’s Cybersecurity Laws Get Enforced

SB812 solidifies the state’s Office of Security Management and the position of state chief information security officer (CISO), which were originally created by executive order in 2019.

Now, the CISO is a permanent role nominated by the governor and confirmed by the state senate. The law outlines requirements for who can be appointed as state CISO, as well as responsibilities for the role, which include:

• Providing cybersecurity advice and recommendations to the governor
• Appointing a Director of Local Cybersecurity to work with the Maryland Department of Emergency Management to provide technical assistance, coordinate resources, and improve cybersecurity preparedness for local governments
• Appointing a Director of State Cybersecurity to ensure state government agencies adhere to the law

Meanwhile, the Office of Security Management, led by the CISO, now has numerous new responsibilities, including:

• Direct, coordinate, and implement the overall cybersecurity strategy and policy for the state government
• Establish standards to categorize all information and information systems collected or maintained by the state government, develop guidelines governing the types of information and information systems to be included in each category, establish security requirements for each category, and assess the implementation of those requirements
• Determine corrective actions to remediate any vulnerabilities or threats that may arise
• Lead security awareness training for employees of state government agencies
• Support the development of data management, data governance, and data specification standards to reduce risk as well as a digital identity standard for all agencies within the state government communicating with one another
• Develop and maintain information technology security policy, standards, and guidance documents aligned to 23 best practices from NIST
• Support local government in mitigating and recovering from cybersecurity incidents, and advise them on how to improve cybersecurity preparedness, prevention, response, and recovery practices
• Conduct regional exercises with the Maryland Department of Emergency Managers, the National Guard, and Local Emergency Managers 
• Issue a report to the governor and designated joint congressional committees annually on the activities and accomplishments of the office, the issues identified by any cybersecurity preparedness assessments, the status of vulnerability assessments and a timeline for completion 

Finally, SB754 gives the Maryland Department of Emergency Management authority to create a cybersecurity preparedness unit and provides a budget for that unit to work with local government on defenses, as outlined by the CISO and Office of Security Management.

Proactive Planning Requirements Under Maryland’s Cybersecurity Laws

State and local government offices and agencies will have to comply with the cybersecurity preparedness policies set forth by the Office of Security Management. This includes guidelines around categorizing information and information systems, adhering to the set security requirements for each one, and following any other designated policies. 

Further, state and local government offices and agencies must certify annually on or before December 1 of each year that they are in compliance with the minimum security standards set by the Office of Security Management. They should also complete a cybersecurity preparedness assessment that includes:

• Number of information technology staff positions, including vacancies
• Cybersecurity budget and overall information technology budget
• Number of employees who have received cybersecurity training
• Total number of employees with access to computer systems and databases

HB1205 sets additional standards for water and sewer systems. Under this law, any public or private water or sewer system that serves 10,000 or more users and receives financial assistance from Maryland must submit a report to the state’s General Assembly on or before December 1, 2023. The report should include an assessment of vulnerability to a cyber attack and a clear cybersecurity plan to protect against attacks.

Incident Reporting Requirements Under Maryland’s Cybersecurity Laws

SB812 gives authority to the CISO to establish guidelines for when a cybersecurity incident should be disclosed to the public. The CISO has yet to release these guidelines, but if Maryland follows the trend set by new laws in states like Connecticut and Utah, they will err on the more business-friendly side. For example, we might expect a more vague notification timeline or, if it’s more explicit, a window of several days, and the opportunity to skip sending notifications if an investigation shows a low risk of harm to affected individuals.

Until the CISO releases new guidelines, incident response notification in Maryland continues to follow the requirements set forth under the state’s Personal Information Protection Act of commercial law, which went into effect in 2018. 

What incidents require notification?

Any data breach of electronic information requires a notification. Maryland defines a data breach as the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information, excluding certain good faith acquisitions.

Personal information includes:

• First name or first initial and last name along with at least one of the following unencrypted, unredacted, or otherwise unprotected data elements:
  • Social security number, individual taxpayer identification number, passport number, or other identification number issued by the federal government
  • Driver’s license or state identification card number
  • An account, credit card, or a debit card number along with a required security code or password 
  • Health information, both physical and mental
  • Health insurance policy or certificate number or health insurance subscriber identification number along with a unique identifier that permits access to an individual’s health information
  • Biometric data, such as a fingerprint, voice print, genetic print, retina or iris image, or other unique characteristic, that can be used for authentication
• A username or email address along with a password or security question and answer

Who needs to be notified following an incident?

Organizations that experience an incident must notify the state attorney general first and then any affected individuals once the attorney general has been notified.

However, notice is not required if the information is encrypted, redacted, or unreadable or if a good faith investigation finds that misuse of personal information is unlikely. In the latter instances, organizations must document their decision and maintain those records in writing for three years.

When and how do notifications need to be issued?

Organizations must issue notifications as soon as reasonably practicable, no later than 45 days after completing any investigation into the incident. Law enforcement agencies can delay this timeline if they determine that issuing notifications will interfere with a criminal investigation or jeopardize homeland or national security.

Options for issuing notifications include:

• Written notice delivered by mail
• Telephone message
• Email notice, if individuals have expressly consented to receiving emails or the organization conducts business primarily online

If the cost to provide notice would exceed $100,000, the number of state residents to notify exceeds 175,000, or the organization does not have sufficient contact information, then they can issue a substitute notice. A substitute notice should include a conspicuous posting on the company website as well as a notification to statewide media.

Finally, if the organization must notify 1,000 or more state residents, then they must also notify nationwide consumer reporting agencies by sharing the timing, distribution, and content of the notice.

What should be included in the notification?

Notifications to affected individuals should include:

• Description of the personal information affected, with as many specifics as possible
• Organization’s contact information, including address, phone number, and toll-free number (if applicable)
• Toll-free phone numbers and addresses of major consumer reporting agencies
• Toll-free phone numbers, addresses, and URL for the FTC and Maryland Attorney General along with a note that individuals can get information from these resources about how to avoid identity theft

Security Breaches That Might Trigger Notification Under Maryland Law

Whether it’s under the 2018 law or the soon-to-be-released guidance from Maryland’s CISO on incident reporting requirements, the following types of security breaches are examples of those likely to trigger a notification requirement under Maryland state law:

Phishing

A phishing attack occurs when hackers trick users into sharing sensitive information or clicking on a malicious link by posing as a legitimate source and asking for information over channels like email and text. If personal information (or passwords to systems that contain personal information) gets exposed, it may trigger a notification under Maryland law.

Nation-State Attack

A nation-state attack is supported by a country’s government and has become increasingly common over the past few years. These attacks typically look to gain access to sensitive information, and if that includes any personal data that puts individuals at risk, it could trigger a notification under Maryland law.

Trojan Attack

A trojan attack occurs when a malicious program gets hidden inside legitimate software and users then download that software. This gives hackers access to view those users’ digital behavior and access information on their devices. If the affected users have access to personal information, especially in an unencrypted form, it could trigger a notification under Maryland law.

How Organizations Should Prepare to Comply with Maryland’s New Cybersecurity Laws

Given the planning requirements outlined in Maryland’s new cybersecurity laws, along with the fact that the CISO will continue to release more guidelines, it’s essential for organizations subject to the laws to take a proactive approach to compliance.

This proactive approach should include outlining response plans, bringing in stakeholders early, and confirming workflows. Generally, organizations should prepare for three phases of incident response:

Readiness

Establishing response plans before a breach occurs allows companies to take action quickly when an incident inevitably strikes. This fast response is especially important since it can lead to better outcomes around managing the recovery, avoiding penalties, and maintaining customer trust.

Key readiness activities include:

• Understanding requirements in applicable regulations and customer and partner contracts
• Outlining response plans for each regulation
• Pinpointing responsibilities for critical response efforts
• Conducting tabletop exercises to prepare those with responsibilities

Response

When an incident does occur, teams will need to jump into action immediately to determine what happened, fix the issue, and notify regulators and customers. Responding completely is essential to maintaining compliance with laws like those in Maryland and to satisfying commitments to customers and partners.

Key response activities include:

• Investigating what happened, how and when it happened, the impacted systems and data, and any potential risks
• Patching vulnerabilities to prevent recurrence
• Issuing notifications according to regulatory and contractual requirements
• Establishing a safe haven for team communications around response efforts

Ongoing Management

It’s important to visit response plans on an ongoing basis to update them as regulations and security threats evolve. These ongoing efforts should also help identify any areas to improve preparedness and response efficiency and to keep stakeholders aligned on their roles in response efforts.

Key ongoing management activities include:

• Setting up a centralized dashboard to report on incident response plans and track changes to regulations and contracts
• Maintaining stakeholder awareness of responsibilities and any changes to response plans
• Finding ways to improve any areas of weakness in security or response plans

What to Expect as Maryland’s New Cybersecurity Laws Go Into Effect

Maryland’s cybersecurity laws are still quite new, and several questions remain about what to expect as they go into effect. Chief among these is the forthcoming guidance from the CISO on incident response requirements, however that’s not where the questions end.

As with any new law, we can expect to learn more about potential points of confusion or areas of particularly strong enforcement as time goes on. This will come in the form of violations that arise and how both the CISO and Office of Security Management respond. It also remains to be seen how active a role the Office of Security Management will take in proactively providing guidance to organizations subject to the new laws.

In general, Maryland’s new laws are more specialized than other recent laws passed in the US since they focus on certain types of organizations and more narrow instances of data breaches. However, as the state continues to remain bullish on increasing cybersecurity, it will also be interesting to see what other regulations lawmakers might pass for even more comprehensive incident response coverage.

Make Proactive Incident Response a Priority

As Maryland’s new cybersecurity laws go into effect and new guidance from the CISO comes out, it’s essential for companies to make proactive incident response a priority. Doing so will not only help maintain compliance with the state’s new planning requirements, but also support a faster response when incidents do occur to help reduce costs and strengthen customer trust.

This level of proactivity starts by staying on top of changes to regulations, outlining clear response plans, confirming participation and responsibilities with key stakeholders, and preparing those stakeholders with tabletop exercises. Critically, organizations should revisit these efforts on an ongoing basis to keep response plans as strong as possible.