| 1 | 1 | | |
|---|
| 2 | 2 | | |
|---|
| 3 | 3 | | EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW. |
|---|
| 4 | 4 | | [Brackets] indicate matter deleted from existing law. |
|---|
| 5 | 5 | | *sb0692* |
|---|
| 6 | 6 | | |
|---|
| 7 | 7 | | SENATE BILL 692 |
|---|
| 8 | 8 | | S2, P1 4lr2434 |
|---|
| 9 | 9 | | CF 4lr3009 |
|---|
| 10 | 10 | | By: Senators Jennings, Hershey, Hester, Simonaire, and Watson |
|---|
| 11 | 11 | | Introduced and read first time: January 29, 2024 |
|---|
| 12 | 12 | | Assigned to: Education, Energy, and the Environment |
|---|
| 13 | 13 | | |
|---|
| 14 | 14 | | A BILL ENTITLED |
|---|
| 15 | 15 | | |
|---|
| 16 | 16 | | AN ACT concerning 1 |
|---|
| 17 | 17 | | |
|---|
| 18 | 18 | | Cybersecurity – Workgroup to Study Data Security – Establishment 2 |
|---|
| 19 | 19 | | |
|---|
| 20 | 20 | | FOR the purpose of establishing the Workgroup to Study Data Security; and generally 3 |
|---|
| 21 | 21 | | relating to the Workgroup to Study Data Security. 4 |
|---|
| 22 | 22 | | |
|---|
| 23 | 23 | | Preamble 5 |
|---|
| 24 | 24 | | |
|---|
| 25 | 25 | | WHEREAS, The world is digital and state agencies, local governments, and 6 |
|---|
| 26 | 26 | | organizations of all types hold vast amounts of valuable data, which continues to be one of 7 |
|---|
| 27 | 27 | | the world’s most valuable assets; and 8 |
|---|
| 28 | 28 | | |
|---|
| 29 | 29 | | WHEREAS, Continued attacks from cyber threats and adversaries successfully 9 |
|---|
| 30 | 30 | | breach government technology systems, steal valuable data, shut down organizations with 10 |
|---|
| 31 | 31 | | ransomware, and exploit known and unknown vulnerabilities, all on an unprecedented 11 |
|---|
| 32 | 32 | | scale; and 12 |
|---|
| 33 | 33 | | |
|---|
| 34 | 34 | | WHEREAS, With over 3,600 Data Breach Notices filed with the Office of the 13 |
|---|
| 35 | 35 | | Attorney General in the past 3 years, representing a 700% increase over 10 years, attackers 14 |
|---|
| 36 | 36 | | are more active than ever; and 15 |
|---|
| 37 | 37 | | |
|---|
| 38 | 38 | | WHEREAS, In this era of global technological transformation and data security risk, 16 |
|---|
| 39 | 39 | | it is imperative for the State to respond; and 17 |
|---|
| 40 | 40 | | |
|---|
| 41 | 41 | | WHEREAS, Organizations must transform their cybersecurity strategies to ensure 18 |
|---|
| 42 | 42 | | a data–first approach to security that keeps data secure; and 19 |
|---|
| 43 | 43 | | |
|---|
| 44 | 44 | | WHEREAS, Organizations must continuously assess their data security, identify 20 |
|---|
| 45 | 45 | | potential risks and vulnerabilities, implement security controls to mitigate those risks and 21 |
|---|
| 46 | 46 | | vulnerabilities, monitor for threats, and update their security posture; and 22 |
|---|
| 47 | 47 | | |
|---|
| 48 | 48 | | WHEREAS, Malicious actors are costing the State and its taxpayers millions of 23 2 SENATE BILL 692 |
|---|
| 49 | 49 | | |
|---|
| 50 | 50 | | |
|---|
| 51 | 51 | | dollars in damages through attacks on State agencies, local governments, and school 1 |
|---|
| 52 | 52 | | systems, particularly through the use of ransomware; and 2 |
|---|
| 53 | 53 | | |
|---|
| 54 | 54 | | WHEREAS, In 2019, a city in Maryland suffered over $18 million of damage from a 3 |
|---|
| 55 | 55 | | ransomware attack; and 4 |
|---|
| 56 | 56 | | |
|---|
| 57 | 57 | | WHEREAS, In November of 2020, at the peak of the COVID –19 pandemic, a 5 |
|---|
| 58 | 58 | | Maryland school district halted virtual learning for more than 100,000 students due to a 6 |
|---|
| 59 | 59 | | ransomware attack; and 7 |
|---|
| 60 | 60 | | |
|---|
| 61 | 61 | | WHEREAS, In 2020 and 2021, a larg e Maryland school district inadvertently 8 |
|---|
| 62 | 62 | | exposed the sensitive data of more than 2,500 employees; and 9 |
|---|
| 63 | 63 | | |
|---|
| 64 | 64 | | WHEREAS, In 2022, a State agency suffered a ransomware attack that impacted 10 |
|---|
| 65 | 65 | | health services during the COVID–19 pandemic; and 11 |
|---|
| 66 | 66 | | |
|---|
| 67 | 67 | | WHEREAS, In 2023, a large Maryland university, health care system, county 12 |
|---|
| 68 | 68 | | government, and State agency were all impacted by a widespread zero–day attack from a 13 |
|---|
| 69 | 69 | | vulnerability in its MOVEit software, exposing the sensitive data of thousands of Maryland 14 |
|---|
| 70 | 70 | | citizens; and 15 |
|---|
| 71 | 71 | | |
|---|
| 72 | 72 | | WHEREAS, Organizations that have suffered or are under threat of cybersecurity 16 |
|---|
| 73 | 73 | | attacks must implement data security standards to limit the potential damage of attacks, 17 |
|---|
| 74 | 74 | | ensure that data is secure, implement sound data security principles, limit internal access 18 |
|---|
| 75 | 75 | | to data, and develop proactive detection and response capabilities; now, therefore, 19 |
|---|
| 76 | 76 | | |
|---|
| 77 | 77 | | SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 20 |
|---|
| 78 | 78 | | That: 21 |
|---|
| 79 | 79 | | |
|---|
| 80 | 80 | | (a) There is a Workgroup to Study Data Security. 22 |
|---|
| 81 | 81 | | |
|---|
| 82 | 82 | | (b) The Workgroup consists of the following members: 23 |
|---|
| 83 | 83 | | |
|---|
| 84 | 84 | | (1) one member of the Senate of Maryland who is a member of the Joint 24 |
|---|
| 85 | 85 | | Committee on Cybersecurity, Information Technology, and Biotechnology, appointed by the 25 |
|---|
| 86 | 86 | | President of the Senate; 26 |
|---|
| 87 | 87 | | |
|---|
| 88 | 88 | | (2) one member of the House of Delegates who is a member of the Joint 27 |
|---|
| 89 | 89 | | Committee on Cybersecurity, Information Technology, and Biotechnology, appointed by the 28 |
|---|
| 90 | 90 | | Speaker of the House; 29 |
|---|
| 91 | 91 | | |
|---|
| 92 | 92 | | (3) the Secretary of Information Technology, or the Secretary’s designee; 30 |
|---|
| 93 | 93 | | |
|---|
| 94 | 94 | | (4) the Secretary of Emergency Management, or the Secretary’s designee; 31 |
|---|
| 95 | 95 | | |
|---|
| 96 | 96 | | (5) the Director of Local Cybersecurity in the Office of Security 32 |
|---|
| 97 | 97 | | Management in the Department of Information Technology; 33 SENATE BILL 692 3 |
|---|
| 98 | 98 | | |
|---|
| 99 | 99 | | |
|---|
| 100 | 100 | | |
|---|
| 101 | 101 | | (6) the Chief Information Security Officer in the Office of Security 1 |
|---|
| 102 | 102 | | Management in the Department of Information Technology; 2 |
|---|
| 103 | 103 | | |
|---|
| 104 | 104 | | (7) the State Chief Data Officer; 3 |
|---|
| 105 | 105 | | |
|---|
| 106 | 106 | | (8) the State Chief Privacy Officer; 4 |
|---|
| 107 | 107 | | |
|---|
| 108 | 108 | | (9) one representative of the Maryland Association of Counties, designated 5 |
|---|
| 109 | 109 | | by the President of the Association; 6 |
|---|
| 110 | 110 | | |
|---|
| 111 | 111 | | (10) one representative of the Maryland Municipal League, designated by 7 |
|---|
| 112 | 112 | | the President of the League; 8 |
|---|
| 113 | 113 | | |
|---|
| 114 | 114 | | (11) one representative of the Maryland Association of Community Colleges, 9 |
|---|
| 115 | 115 | | designated by the Executive Director of the Association; 10 |
|---|
| 116 | 116 | | |
|---|
| 117 | 117 | | (12) one representative of the Maryland Independent College and 11 |
|---|
| 118 | 118 | | University Association, designated by the Executive Director of the Association; 12 |
|---|
| 119 | 119 | | |
|---|
| 120 | 120 | | (13) one representative of the University System of Maryland, designated 13 |
|---|
| 121 | 121 | | by the Chancellor; 14 |
|---|
| 122 | 122 | | |
|---|
| 123 | 123 | | (14) one representative of the Cybersecurity Association of Maryland, 15 |
|---|
| 124 | 124 | | designated by the Executive Director of the Association; 16 |
|---|
| 125 | 125 | | |
|---|
| 126 | 126 | | (15) one representative of the Maryland Cybersecurity Council, designated 17 |
|---|
| 127 | 127 | | by the Attorney General; and 18 |
|---|
| 128 | 128 | | |
|---|
| 129 | 129 | | (16) four representatives of private cybersecurity companies currently in 19 |
|---|
| 130 | 130 | | good standing with the State Department of Assessments and Taxation, designated by the 20 |
|---|
| 131 | 131 | | Executive Director of the Cybersecurity Association of Maryland. 21 |
|---|
| 132 | 132 | | |
|---|
| 133 | 133 | | (c) The President of the Senate and the Speaker of the House shall jointly 22 |
|---|
| 134 | 134 | | designate the chair and vice chair of the Workgroup from among the members of the 23 |
|---|
| 135 | 135 | | Workgroup appointed by the President and the Speaker. 24 |
|---|
| 136 | 136 | | |
|---|
| 137 | 137 | | (d) The Office of the Governor shall provide staff for the Workgroup. 25 |
|---|
| 138 | 138 | | |
|---|
| 139 | 139 | | (e) A member of the Workgroup: 26 |
|---|
| 140 | 140 | | |
|---|
| 141 | 141 | | (1) may not receive compensation as a member of the Workgroup; but 27 |
|---|
| 142 | 142 | | |
|---|
| 143 | 143 | | (2) is entitled to reimbursement for expenses under the Standard State 28 |
|---|
| 144 | 144 | | Travel Regulations, as provided in the State budget. 29 |
|---|
| 145 | 145 | | |
|---|
| 146 | 146 | | (f) The Workgroup shall: 30 4 SENATE BILL 692 |
|---|
| 147 | 147 | | |
|---|
| 148 | 148 | | |
|---|
| 149 | 149 | | |
|---|
| 150 | 150 | | (1) examine data protection standards that have been proposed or adopted 1 |
|---|
| 151 | 151 | | in other states and used by governmental entities; 2 |
|---|
| 152 | 152 | | |
|---|
| 153 | 153 | | (2) identify existing standards that would be best assimilated by State 3 |
|---|
| 154 | 154 | | agencies; and 4 |
|---|
| 155 | 155 | | |
|---|
| 156 | 156 | | (3) develop recommendations on, and assess the fiscal impact of: 5 |
|---|
| 157 | 157 | | |
|---|
| 158 | 158 | | (i) data protection standards for State and local government 6 |
|---|
| 159 | 159 | | agencies to adopt and implement; 7 |
|---|
| 160 | 160 | | |
|---|
| 161 | 161 | | (ii) data inventory practices by State and local government agencies; 8 |
|---|
| 162 | 162 | | |
|---|
| 163 | 163 | | (iii) implementation of least privilege access policies; 9 |
|---|
| 164 | 164 | | |
|---|
| 165 | 165 | | (iv) user access auditing policies; 10 |
|---|
| 166 | 166 | | |
|---|
| 167 | 167 | | (v) threat detection and response practices; and 11 |
|---|
| 168 | 168 | | |
|---|
| 169 | 169 | | (vi) policies around notifying citizens of data breaches. 12 |
|---|
| 170 | 170 | | |
|---|
| 171 | 171 | | (g) Funds appropriated to the Dedicated Purpose Account established under § 13 |
|---|
| 172 | 172 | | 7–310 of the State Finance and Procurement Article for cybersecurity purposes may be used 14 |
|---|
| 173 | 173 | | to support the Workgroup’s activities. 15 |
|---|
| 174 | 174 | | |
|---|
| 175 | 175 | | (h) On or before December 1, 2024, the Workgroup shall submit an interim report 16 |
|---|
| 176 | 176 | | of its findings and recommendations to the Governor and, in accordance with § 2–1257 of 17 |
|---|
| 177 | 177 | | the State Government Article, the General Assembly. 18 |
|---|
| 178 | 178 | | |
|---|
| 179 | 179 | | (i) On or before June 30, 2025, the Workgroup shall submit a final report of its 19 |
|---|
| 180 | 180 | | findings and recommendations to the Governor and, in accordance with § 2–1257 of the 20 |
|---|
| 181 | 181 | | State Government Article, the General Assembly. 21 |
|---|
| 182 | 182 | | |
|---|
| 183 | 183 | | SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take effect July 22 |
|---|
| 184 | 184 | | 1, 2024. It shall remain effective for a period of 2 years and, at the end of June 30, 2026, 23 |
|---|
| 185 | 185 | | this Act, with no further action required by the General Assembly, shall be abrogated and 24 |
|---|
| 186 | 186 | | of no further force and effect. 25 |
|---|