Commission Puts Forth Cybersecurity Legislation to Help Strengthen “CyberMaryland”
The 2013 Session of the Maryland General Assembly failed to pass cybersecurity legislation related to breach notification requirements that was applicable for businesses and had difficulty passing similar legislation that would apply to the entire State government. These bills require the appropriate entities to notify individuals of a breach of unencrypted personal information. A breach is the unauthorized acquisition of data that compromises the security, confidentiality, or integrity of the personal information. As a result, businesses must continue to comply with the existing breach notification law applicable to commercial entities, and certain governmental units now are required to adhere to standards similar to what the businesses must follow.
The Maryland Commission on Cybersecurity Innovation and Excellence, chaired by Senator Catherine Pugh and Delegate Susan Lee, put forth two breach notification bills: (1) HB 960/SB 859, Maryland Personal Information Protection Act – Revisions, which addressed business requirements for breach notification; and (2) HB 959/SB 676, Governmental Procedures – Security and Protection of Information, which applied to certain governmental entities.
HB 960, which applied to businesses, did not pass. Businesses opposed the bill because it heightened existing standards regarding the protection of personal information. Businesses were concerned, for example, that the definition of “personal information” was too broad and that the legislation would create an additional financial burden. Thus, the standards of the existing breach notification law remain the same.
However, SB 676 did pass, and now will require certain governmental units to notify individuals of a breach of personal information. While the Judiciary and Legislative branches of Maryland Government wanted to be exempt from SB 676, the Executive branch and other governmental units (e.g., public institutions of higher education and local agencies) must comply with the legislation and, in turn, notify individuals of a breach of personal information. Branches that are exempt were concerned, for example, that the legislation did not clearly state which judicial records would be subject to the bill and that it would be too costly to implement.
Cybersecurity reform remains a primary focus of the Commission given its particular importance in Maryland, which in 2010 and 2011 ranked 3rd for per capita identity fraud complaints and 9th for per capita identity theft complaints. Now that some Maryland governmental units are required to notify of a security breach involving personal information, Maryland is no longer far behind most states that have enacted breach notification legislation applicable to governmental units. Also, research suggests cyber attacks are more prevalent and more damaging. Finally, Maryland is trying to brand itself as a cybersecurity epicenter. The CyberMaryland initiative was launched in 2010 to address the challenges to the security of our digital infrastructure and reinforce Maryland’s leadership in cybersecurity and information technology.
Breach notification laws will help in the effort to protect individuals and their personal information. The Commission looks forward to making further progress in the next legislative session to continue to protect the State and individuals from cyber attacks.
For detailed information on the bills, please click on the following links:
The Maryland Commission on Cybersecurity Innovation and Excellence was authorized in July 2011. The Commission is charged with conducting an overview of federal and state cyber security laws and policies, considering Maryland’s role in promoting cyber innovation, and recommending a comprehensive framework and strategic plan for cyber security innovation and excellence, including recovery from cyber attack. The Commission will also recommend ways to attract private investment and promote innovation through public private partnerships, research and development, workforce training, and education. CHHS Founder and Director Michael Greenberger was appointed by the Governor to the Commission.
CHHS law and policy analysts Avery Blank and Peter Suh worked with the Commission on this session’s cybersecurity legislation and testified on behalf of the Commission before various Maryland Senate and House Committees.
 Per Maryland legislation, “personal information” means “an individual’s first name or first initial and last name, personal mark, or unique biometric or genetic print or image, in combination with one or more of the following data elements:
1) a Social Security number;
2) a driver’s license number, state identification card number, or other individual identification number issued by a [governmental] unit;
3) a passport number or other identification number issued by the United States Government;
4) an Individual Taxpayer Identification Number; or
5) a financial or other account number, credit card number, or a debit card number that, in combination with any required security code, access code, or password, would permit access to an individual’s account.”
 This session, the Maryland Commission on Cybersecurity Innovation and Excellence also passed HB 942, a bill on medical identification fraud, and received an unfavorable report on HB 937, a telemedicine-related bill. For detailed information on these bills, click on the following links:
· HB 942, Identify Fraud – Health Information and Health Care Records: http://mgaleg.maryland.gov/webmga/frmMain.aspx?pid=billpage&tab=subject3&id=hb0942&stab=01&ys=2013RS
· HB 937, Commission on Maryland Cybersecurity Innovation and Excellence – Duties: http://mgaleg.maryland.gov/webmga/frmMain.aspx?id=hb0937&stab=01&pid=billpage&tab=subject3&ys=2013RS
 Federal Trade Commission, Consumer Sentinel Network Data Book for January-December 2011, Feb. 2012, available at http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2011.pdf (last visited Apr. 9, 2013).
 Ponemon Institute, 2012 Consumer Study on Data Breach Notification, June 2012, available at http://www.experian.com/assets/data-breach/brochures/ponemon-notification-study-2012.pdf (last visited Apr. 2, 2013).
 Doug Gross, Massive Cyberattack Hits Internet Users, CNN.com, Mar. 29, 2013, http://www.cnn.com/2013/03/27/tech/massive-internet-attack (last visited Apr. 2, 2013).