Legislative Proposals for the Maryland Commission on Cyber Security Innovation and Excellence December 6, 2012 Michael Greenberger Professor of Law Founder and Director, CHHS
Legislative Proposals Maryland should amend the Maryland Personal Information Protection Act (MPIPA) Maryland should be aware of and be ready to promptly pass state legislation to support the soon-to-be published cybersecurity executive order from President Obama which tries to achieve the goals of the Cybersecurity Act of 2012 (S.3414)
Maryland Personal Information Protection Act (MPIPA) In 2007, Maryland passed the Maryland Personal Information Protection Act (Md. Code Ann. Comm. Law 14-3504) to help protect Maryland citizens personal information from identity thieves. The Maryland Personal Information Protection Act (MPIPA) was enacted to help ensure that Maryland consumers personal identifying information is reasonably protected, and in the case of a breach, the consumer is notified so that they can take measures to protect themselves.
Maryland Personal Information Protection Act (MPIPA) While MPIPA provides important safeguards against identity theft and security breaches, there are loopholes and ambiguous provisions which may leave Marylanders vulnerable. MPIPA can be strengthened to better secure Marylanders personal information. Maryland should increase the effectiveness of MPIPA by: (1) closing loopholes to increase the legislation s applicability; (2) addressing ambiguous provisions in the notification process; (3) eliminating the encryption exemption; and (4) clarifying the term reasonable security procedures and practices
Close MPIPA s Loopholes to Increase its Applicability The MPIPA definition of personal information should be broadened to capture additional sensitive information and be flexible enough to adapt to the arrival of new types of information and technology that can expose individuals to identity theft. Expand MPIPA s jurisdiction to include government because it stores the same type of personal information as businesses, there is history of government susceptibility to breaches and there is a prevalence of other states laws that include government.
Clarify Provisions in MPIPA s Notification Process The notification trigger is vague and needs to be clarified, by linking the notification duty to the threat of Identity Fraud, as defined in section 8-301 of the Criminal Law Article of the Maryland Code, in order to provide businesses with appropriate guidance and to avoid overnotification. The timing provision should be amended to create a definitive deadline requiring notifications be made without unreasonable delay, but no later than 45 days after learning of the breach
Strengthen how MPIPA deals with Encryption Eliminate the encryption safe harbor provision and include encryption as a part of an expansive set of practices which include training and awareness programs and strong identity and access-management procedures because companies often overly rely on encryption and become more susceptible to security breaches. Amend the current static definition of encryption and benchmark the encryption standard to the Federal Information Processing Standards issued by the National Institute of Standards and Technology.
Clarify reasonable security procedures and practices MPIPA can provide a clearer roadmap to regulated entities by dictating key cybersecurity structural and procedural elements while still allowing them the flexibility to craft these plans to their specific circumstances by requiring the regulated entities to: coordinate an information security program, conduct a risk assessment, design safeguards to control the identified risks and to regularly monitor the effectiveness of these controls, contractually ensure that their service providers are capable of providing appropriate safeguards for their clients personal information, and evaluate and adjust their information security plan under certain situations.
The Cybersecurity Act of 2012 (S. 3414) The Cybersecurity Act of 2012 was developed to protect critical infrastructure in the United States from cyber threats. The destruction or exploitation of critical infrastructure through a cyber attack, such as a region s water supply, could cripple the economy and our national security. This bill would establish a robust public private partnership to improve the cybersecurity of our nation s most critical infrastructure, which is mostly owned by the private sector. Industry would develop voluntary cybersecurity practices and a multi agency Government council would ensure these practices are adequate to secure systems from attacks. Private owners who choose to participate in the voluntary cybersecurity program established by the legislation would receive various benefits. While it promotes the sharing of cyber threat information, this legislation also ensures that privacies and civil liberties are protected.
The Pending Cybersecurity Executive Order from President Obama The U.S. Senate has twice failed to pass the Cybersecurity Act of 2012 (S.3414). There are reports that President Obama will soon introduce an executive order which will attempt to accomplish much of what has been intended in the Cybersecurity Act. However, federal executive orders often cannot achieve, due to legal limitations, everything a passed piece of legislation can. Through an executive order, the White House can only use existing law to engage the nation s critical infrastructure entities to promote new and voluntary security enhancements. Other examples of what an executive order cannot accomplish, which the Cybersecurity Act would have, is grant legal liability protections to compliant companies and create full, robust cyber-threat information sharing exchanges between private companies and the government
Summary of Cybersecurity Executive Order Draft from President Obama Maintains the President s goals to strengthen the cybersecurity of critical infrastructure and pursue new information-sharing capabilities The National Institute of Standards and Technology (NIST), situated in Gaithersburg, Maryland, is being tapped to lead the way in developing a Cybersecurity Framework, to identify gaps in the country's digital defenses and set forward standards and methodologies to address the risks. The executive order draft tasks federal agencies such as the Commerce and Treasury Departments to determine how to incentivize companies to participate and agree to abide by new security standards. The order asks the Pentagon and other agencies to determine whether cybersecurity should factor into the federal procurement process and if the federal government should grant preferences to vendors adhering to strong cybersecurity standards.
Legislative Recommendations for Maryland to Pass in Support of the Soon-to-Be Published Cybersecurity Executive Order from President Obama Based on the summary of the draft Obama executive order, as reported on by media outlets, and the summary of the Cybersecurity Act of 2012, the following are recommendations for Maryland to endorse in order to fill in potential gaps left by the executive order and to take advantage of its guidance, with the understanding that the situation is shifting and further details will emerge when the executive order is released: Identify critical cyber infrastructure and their greatest cyber vulnerabilities Strengthen public-private cybersecurity partnership Develop legislative incentives for businesses to successfully participate and receive certification by the federal government
Legislative Recommendations for Maryland to Pass in Support of the Soon-to-Be Published Cybersecurity Executive Order from President Obama (Continued) Improve information sharing, monitoring, and countermeasures Address privacies and civil liberties issues Improve the security of Maryland state and local government networks Cybersecurity education, recruitment, and workforce development must be emphasized to comply with and complement the new federal cybersecurity guidance