Maryland Cybersecurity Laws

Inside the requirements of three new laws in the state

Maryland introduced three new cybersecurity laws in May 2022 to make the state’s Office of Security Management and the position of state chief information security officer (CISO) permanent (SB812), introduce a cybersecurity preparedness unit for local governments (SB754), and establish cybersecurity reporting requirements for water and sewer systems as well as a plan to upgrade legacy security systems (HB1205). These laws will affect organizations within Maryland the most, but they do have implications beyond the state, making it important to understand what’s required.

Automate Maryland requirements with the BreachRx platform

Tailor your incident response plan in minutes so you know exactly what to do by when and take the crisis out of your incident response

Who is Subject to Maryland’s Cybersecurity Laws

Maryland’s new cybersecurity laws primarily apply to local government offices and agencies and public or private companies that operate water or sewer systems in the state. Additionally, any water or sewer system that serves at least 10,000 customers and receives financial support from Maryland must also conduct cybersecurity vulnerability assessments and submit cybersecurity plans to the state.

Both HB1205 and SB812 include exemptions from some of these additional requirements. For example, HB1205 exempts 10 named higher education and government institutions from the assessment and planning requirement. Meanwhile SB812 exempts those same institutions as well as a few more named government agencies from supervision by the Office of Security Management for certain activities.


SB812 makes the state’s Office of Security Management and CISO permanent. Together, these roles are responsible for enforcing the new laws, including:

  • Providing cybersecurity advice and recommendations
  • Implementing cybersecurity strategies and policies
  • Establishing standards to categorize information and information systems
  • Determining corrective actions in response to threats
  • Developing data management and data governance standards
  • Issuing annual reports on cybersecurity preparedness and vulnerabilities

Proactive Planning Requirements

State and local government offices must comply with the cybersecurity preparedness policies from the Office of Security Management. They must also certify annually on or before December 1 of each year that they are in compliance with minimum security standards and complete a cybersecurity preparedness assessment that includes:

  • Number of information technology staff positions, including vacancies
  • Cybersecurity budget and overall information technology budget
  • Number of employees who have received cybersecurity training
  • Total number of employees with access to computer systems and databases

SB754 also gives the Maryland Department of Emergency Management authority to create a cybersecurity preparedness unit and provides a budget to work with local governments on defenses.

Incident Reporting Requirements Under Maryland’s Cybersecurity Laws

Under SB812, the CISO has authority to introduce guidelines for when a cybersecurity incident should be disclosed to the public. However, these guidelines have yet to be released. Until then, incident response notification in Maryland continues to follow requirements under the state’s Personal Information Protection Act of commercial law.

What is a data breach?Any unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information, excluding certain good faith acquisitions.
What is personal information?A username or email address along with a password or security question and answer, or a person’s first name or first initial and last name along with at least one of the following unencrypted, unredacted, or otherwise unprotected data elements:

  • Social security number, individual taxpayer identification number, passport number, or other identification number from the federal government
  • Driver’s license or state identification card number
  • An account, credit card, or a debit card number along with a required security code or password
  • Health information, both physical and mental
  • Health insurance policy or certificate number or health insurance subscriber identification number along with a unique identifier that permits access to an individual’s health information
  • Biometric data, such as a fingerprint, voice print, genetic print, retina or iris image, or other unique characteristic, that can be used for authentication
Who should be notified following a breach?The state attorney general first, and then any affected individuals once the attorney general has been notified. If the organization must notify 1,000 or more state residents, then they must also notify nationwide consumer reporting agencies.
When should a notification be issued?As soon as reasonably practicable, no later than 45 days after completing any investigation into the incident.

Law enforcement agencies can delay this timeline if issuing notifications will interfere with a criminal investigation or jeopardize homeland or national security.

How should a notification be issued?
  • Written notice delivered by mail
  • Telephone message
  • Email notice, if individuals have expressly consented to receiving emails or the organization conducts business primarily online

Substitute notices in the form of a conspicuous posting on the company website and a notification to statewide media are allowed if the cost to provide notice would exceed $100,000, the number of state residents to notify exceeds 175,000, or the organization does not have sufficient contact information.

What should the notification include?
  • Description of the personal information affected, with as many specifics as possible
  • Organization’s contact information, including address, phone number, and toll-free number
  • Toll-free phone numbers and addresses of major consumer reporting agencies
  • Toll-free phone numbers, addresses, and URL for the FTC and Maryland Attorney General along with a note that individuals can get information from these resources about how to avoid identity theft
Are there any exceptions to issuing a notification?Notice is not required if the information is encrypted, redacted, or unreadable or if a good faith investigation finds that misuse of personal information is unlikely (in which case organizations must document their decision and maintain those records in writing for three years).

Security Breaches That Might Trigger Notification in Maryland

Under the existing law or the new guidance yet to be released by the CISO, the following security breaches are likely to trigger the notification requirement under Maryland law:



An attack in which threat actors trick users into clicking on a malicious link or sharing information (i.e. personal data or passwords) by posing as a legitimate source on channels like email and text.

Nation-state Attack

Nation-State Attack

An attack supported or launched by a country’s government that typically looks to gain access to proprietary and sensitive information, including contract and personal data that could put companies and individuals at risk.

Phishing malware or trojan

Trojan Attack

An attack in which a malicious program gets hidden inside software that users download, giving hackers access to view their digital behavior and any information on their devices.

How Organizations Can Prepare to Comply with Maryland’s New Cybersecurity Laws

Maryland’s cybersecurity laws require security planning, making it essential for organizations to proactively prepare for compliance. This preparation should cover three phases of incident response:


Establish response plans before a breach occurs, making it possible to take action quickly when an incident strikes. This includes understanding requirements, outlining response plans, assigning responsibilities, and conducting tabletop exercises for practice.


Jump into action immediately when an incident occurs to maintain compliance. This includes identifying what happened (i.e. how, when, impacted data, potential risks), patching vulnerabilities, issuing notifications, and establishing a safe haven for team communications.

Ongoing Management

Revisit response plans regularly to keep them updated as regulations and threats evolve. This includes setting up a centralized dashboard to report on response plans and track changes to regulations, maintaining awareness of responsibilities, and determining areas of improvement.

Making Proactive Incident Response a Priority

With three new cybersecurity laws coming into effect in Maryland, plus new guidance from the CISO around those laws, proactive incident response is a must to maintain compliance and reduce costs following a data breach. Planning proactively requires keeping up with regulatory changes, documenting clear response plans, assigning responsibilities, and preparing team members accordingly – that way everyone can move quickly when an incident occurs.

Supercharge your incident response strategy with the BreachRx platform

Stop using spreadsheets and documents to keep track of the tasks you need to accomplish during an incident response.