Legislative Proposals for the Maryland Commission on Cyber Security Innovation and Excellence



Similar documents
S. ll IN THE SENATE OF THE UNITED STATES

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

National Cyber Threat Information Sharing. System Strengthening Study

Cyber Security and the White House

How To Write A National Cybersecurity Act

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

How To Pass Cybersecurity Legislation

CYBER SECURITY A L E G A L P E R S P E C T I V E

Presidential Summit Reveals Cybersecurity Concerns, Trends

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues

Delaware Cyber Security Workshop September 29, William R. Denny, Esquire Potter Anderson & Corroon LLP

S. 21 IN THE SENATE OF THE UNITED STATES

THE WHITE HOUSE Office of the Press Secretary

Cybersecurity Framework: Current Status and Next Steps

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

MEMORANDUM. The Maryland Commission on Cyber Security Innovation and Excellence

Executive Summary. Introduction

Cyber Legislation & Policy Developments 2014

Surviving the Era of Hack Attacks Cyber Security on a Global Scale

Changing Legal Landscape in Cybersecurity: Implications for Business

114 th Congress March, Cybersecurity Legislation and Executive Branch Activity I. ADMINSTRATION S CYBERSECURITY PROPOSALS

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

America s New Cybersecurity Framework: Help or New Source of Exposure?

Implementation of the Cybersecurity Executive Order

BSA GLOBAL CYBERSECURITY FRAMEWORK

Cybersecurity Information Sharing Legislation Protecting Cyber Networks Act (PCNA) National Cybersecurity Protection Advancement (NCPA) Act

1851 (d) RULE OF CONSTRUCTION. Nothing in this section shall be construed to (1) require a State to report data under subsection

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

Testimony of. Wm. Douglas Johnson. American Bankers Association. Subcommittee on Information Technology

NATIONAL CYBERSECURITY PROTECTION ACT OF 2014

Report: An Analysis of US Government Proposed Cyber Incentives. Author: Joe Stuntz, MBA EP 14, McDonough School of Business

Data Breach, Electronic Health Records and Healthcare Reform

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

Business Associates and HIPAA

Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Legislative Language

Big Data, Big Risk, Big Rewards. Hussein Syed

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis

How To Protect Your Data From Being Hacked

September 28, MEMORANDUM FOR. MR. ANTONY BLINKEN Deputy Assistant to the President and National Security Advisor to the Vice President

Corporate Perspectives On Cybersecurity: A Survey Of Execs

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

Overview of the HIPAA Security Rule

DEFINING CYBERSECURITY GROWTH CATALYSTS & LEGISLATION

Cybersecurity: Legislation, Hearings, and Executive Branch Documents

Myths and Facts about the Cyber Intelligence Sharing and Protection Act (CISPA)

The FDIC s Supervisory Approach to Cyberattack Risks

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

How To Write A Cybersecurity Framework

To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

Cyberprivacy and Cybersecurity for Health Data

Why you should adopt the NIST Cybersecurity Framework

S. ll. To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

Special Report The HITECH Act

Billing Code: 3510-EA

HEALTHCARE SECURITY AND PRIVACY CATALOG OF SERVICES

SMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015

COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER

CIP Supply Chain Risk Management (RM ) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

Treasury Department Summary Report to the President on. Cybersecurity Incentives Pursuant to Executive Order 13636

DEPARTMENT OF TAXATION AND FINANCE SECURITY OVER PERSONAL INFORMATION. Report 2007-S-77 OFFICE OF THE NEW YORK STATE COMPTROLLER

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act

Framework for Improving Critical Infrastructure Cybersecurity

WRITTEN TESTIMONY OF

The Cyber Attack and Hacking Epidemic A Legal and Business Survival Guide

Cybersecurity Workshop

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR

Cybersecurity: The Legal, Legislative and Regulatory Outlook

DATA BREACH COVERAGE

GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE CYBER SECURITY AND CYBER CRIME SEPTEMBER 26, CEO EDS Corporation

Identity Theft Security and Compliance: Issues for Business

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Data Breach and Senior Living Communities May 29, 2015

CYBERSECURITY IN HEALTHCARE: A TIME TO ACT

Cybersecurity: Legislation, Hearings, and Executive Branch Documents

One Hundred Thirteenth Congress of the United States of America

Cybersecurity: Legislation, Hearings, and Executive Branch Documents

S AN ACT. To codify an existing operations center for cybersecurity.

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

S. ll. To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

005ASubmission to the Serious Data Breach Notification Consultation

CYBER SECURITY SPECIALREPORT

DIVISION N CYBERSECURITY ACT OF 2015

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Senate Subcommittee Hearing and Report Regarding Online Advertising and Hidden Hazards to Consumer Security and Data Privacy

Cyber Security Recommendations October 29, 2002

Logging In: Auditing Cybersecurity in an Unsecure World

DEPARTMENT OF JUSTICE WHITE PAPER. Sharing Cyberthreat Information Under 18 USC 2702(a)(3)

Government Focus on Cybersecurity Elevates Data Breach Legislation. by Experian Government Relations and Experian Data Breach Resolution

MEMORANDUM MEMBERS OF THE SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

Security & privacy in the cloud; an easy road?

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

No. 33 February 19, The President

Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

Transcription:

Legislative Proposals for the Maryland Commission on Cyber Security Innovation and Excellence December 6, 2012 Michael Greenberger Professor of Law Founder and Director, CHHS

Legislative Proposals Maryland should amend the Maryland Personal Information Protection Act (MPIPA) Maryland should be aware of and be ready to promptly pass state legislation to support the soon-to-be published cybersecurity executive order from President Obama which tries to achieve the goals of the Cybersecurity Act of 2012 (S.3414)

Maryland Personal Information Protection Act (MPIPA) In 2007, Maryland passed the Maryland Personal Information Protection Act (Md. Code Ann. Comm. Law 14-3504) to help protect Maryland citizens personal information from identity thieves. The Maryland Personal Information Protection Act (MPIPA) was enacted to help ensure that Maryland consumers personal identifying information is reasonably protected, and in the case of a breach, the consumer is notified so that they can take measures to protect themselves.

Maryland Personal Information Protection Act (MPIPA) While MPIPA provides important safeguards against identity theft and security breaches, there are loopholes and ambiguous provisions which may leave Marylanders vulnerable. MPIPA can be strengthened to better secure Marylanders personal information. Maryland should increase the effectiveness of MPIPA by: (1) closing loopholes to increase the legislation s applicability; (2) addressing ambiguous provisions in the notification process; (3) eliminating the encryption exemption; and (4) clarifying the term reasonable security procedures and practices

Close MPIPA s Loopholes to Increase its Applicability The MPIPA definition of personal information should be broadened to capture additional sensitive information and be flexible enough to adapt to the arrival of new types of information and technology that can expose individuals to identity theft. Expand MPIPA s jurisdiction to include government because it stores the same type of personal information as businesses, there is history of government susceptibility to breaches and there is a prevalence of other states laws that include government.

Clarify Provisions in MPIPA s Notification Process The notification trigger is vague and needs to be clarified, by linking the notification duty to the threat of Identity Fraud, as defined in section 8-301 of the Criminal Law Article of the Maryland Code, in order to provide businesses with appropriate guidance and to avoid overnotification. The timing provision should be amended to create a definitive deadline requiring notifications be made without unreasonable delay, but no later than 45 days after learning of the breach

Strengthen how MPIPA deals with Encryption Eliminate the encryption safe harbor provision and include encryption as a part of an expansive set of practices which include training and awareness programs and strong identity and access-management procedures because companies often overly rely on encryption and become more susceptible to security breaches. Amend the current static definition of encryption and benchmark the encryption standard to the Federal Information Processing Standards issued by the National Institute of Standards and Technology.

Clarify reasonable security procedures and practices MPIPA can provide a clearer roadmap to regulated entities by dictating key cybersecurity structural and procedural elements while still allowing them the flexibility to craft these plans to their specific circumstances by requiring the regulated entities to: coordinate an information security program, conduct a risk assessment, design safeguards to control the identified risks and to regularly monitor the effectiveness of these controls, contractually ensure that their service providers are capable of providing appropriate safeguards for their clients personal information, and evaluate and adjust their information security plan under certain situations.

The Cybersecurity Act of 2012 (S. 3414) The Cybersecurity Act of 2012 was developed to protect critical infrastructure in the United States from cyber threats. The destruction or exploitation of critical infrastructure through a cyber attack, such as a region s water supply, could cripple the economy and our national security. This bill would establish a robust public private partnership to improve the cybersecurity of our nation s most critical infrastructure, which is mostly owned by the private sector. Industry would develop voluntary cybersecurity practices and a multi agency Government council would ensure these practices are adequate to secure systems from attacks. Private owners who choose to participate in the voluntary cybersecurity program established by the legislation would receive various benefits. While it promotes the sharing of cyber threat information, this legislation also ensures that privacies and civil liberties are protected.

The Pending Cybersecurity Executive Order from President Obama The U.S. Senate has twice failed to pass the Cybersecurity Act of 2012 (S.3414). There are reports that President Obama will soon introduce an executive order which will attempt to accomplish much of what has been intended in the Cybersecurity Act. However, federal executive orders often cannot achieve, due to legal limitations, everything a passed piece of legislation can. Through an executive order, the White House can only use existing law to engage the nation s critical infrastructure entities to promote new and voluntary security enhancements. Other examples of what an executive order cannot accomplish, which the Cybersecurity Act would have, is grant legal liability protections to compliant companies and create full, robust cyber-threat information sharing exchanges between private companies and the government

Summary of Cybersecurity Executive Order Draft from President Obama Maintains the President s goals to strengthen the cybersecurity of critical infrastructure and pursue new information-sharing capabilities The National Institute of Standards and Technology (NIST), situated in Gaithersburg, Maryland, is being tapped to lead the way in developing a Cybersecurity Framework, to identify gaps in the country's digital defenses and set forward standards and methodologies to address the risks. The executive order draft tasks federal agencies such as the Commerce and Treasury Departments to determine how to incentivize companies to participate and agree to abide by new security standards. The order asks the Pentagon and other agencies to determine whether cybersecurity should factor into the federal procurement process and if the federal government should grant preferences to vendors adhering to strong cybersecurity standards.

Legislative Recommendations for Maryland to Pass in Support of the Soon-to-Be Published Cybersecurity Executive Order from President Obama Based on the summary of the draft Obama executive order, as reported on by media outlets, and the summary of the Cybersecurity Act of 2012, the following are recommendations for Maryland to endorse in order to fill in potential gaps left by the executive order and to take advantage of its guidance, with the understanding that the situation is shifting and further details will emerge when the executive order is released: Identify critical cyber infrastructure and their greatest cyber vulnerabilities Strengthen public-private cybersecurity partnership Develop legislative incentives for businesses to successfully participate and receive certification by the federal government

Legislative Recommendations for Maryland to Pass in Support of the Soon-to-Be Published Cybersecurity Executive Order from President Obama (Continued) Improve information sharing, monitoring, and countermeasures Address privacies and civil liberties issues Improve the security of Maryland state and local government networks Cybersecurity education, recruitment, and workforce development must be emphasized to comply with and complement the new federal cybersecurity guidance

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information