EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
*sb0692*
SENATE BILL 692
S2, P1 4lr2434
CF 4lr3009
By: Senators Jennings, Hershey, Hester, Simonaire, and Watson
Introduced and read first time: January 29, 2024
Assigned to: Education, Energy, and the Environment
A BILL ENTITLED
AN ACT concerning 1
Cybersecurity – Workgroup to Study Data Security – Establishment 2
FOR the purpose of establishing the Workgroup to Study Data Security; and generally 3
relating to the Workgroup to Study Data Security. 4
Preamble 5
WHEREAS, The world is digital and state agencies, local governments, and 6
organizations of all types hold vast amounts of valuable data, which continues to be one of 7
the world’s most valuable assets; and 8
WHEREAS, Continued attacks from cyber threats and adversaries successfully 9
breach government technology systems, steal valuable data, shut down organizations with 10
ransomware, and exploit known and unknown vulnerabilities, all on an unprecedented 11
scale; and 12
WHEREAS, With over 3,600 Data Breach Notices filed with the Office of the 13
Attorney General in the past 3 years, representing a 700% increase over 10 years, attackers 14
are more active than ever; and 15
WHEREAS, In this era of global technological transformation and data security risk, 16
it is imperative for the State to respond; and 17
WHEREAS, Organizations must transform their cybersecurity strategies to ensure 18
a data–first approach to security that keeps data secure; and 19
WHEREAS, Organizations must continuously assess their data security, identify 20
potential risks and vulnerabilities, implement security controls to mitigate those risks and 21
vulnerabilities, monitor for threats, and update their security posture; and 22
WHEREAS, Malicious actors are costing the State and its taxpayers millions of 23 2 SENATE BILL 692
dollars in damages through attacks on State agencies, local governments, and school 1
systems, particularly through the use of ransomware; and 2
WHEREAS, In 2019, a city in Maryland suffered over $18 million of damage from a 3
ransomware attack; and 4
WHEREAS, In November of 2020, at the peak of the COVID –19 pandemic, a 5
Maryland school district halted virtual learning for more than 100,000 students due to a 6
ransomware attack; and 7
WHEREAS, In 2020 and 2021, a larg e Maryland school district inadvertently 8
exposed the sensitive data of more than 2,500 employees; and 9
WHEREAS, In 2022, a State agency suffered a ransomware attack that impacted 10
health services during the COVID–19 pandemic; and 11
WHEREAS, In 2023, a large Maryland university, health care system, county 12
government, and State agency were all impacted by a widespread zero–day attack from a 13
vulnerability in its MOVEit software, exposing the sensitive data of thousands of Maryland 14
citizens; and 15
WHEREAS, Organizations that have suffered or are under threat of cybersecurity 16
attacks must implement data security standards to limit the potential damage of attacks, 17
ensure that data is secure, implement sound data security principles, limit internal access 18
to data, and develop proactive detection and response capabilities; now, therefore, 19
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 20
That: 21
(a) There is a Workgroup to Study Data Security. 22
(b) The Workgroup consists of the following members: 23
(1) one member of the Senate of Maryland who is a member of the Joint 24
Committee on Cybersecurity, Information Technology, and Biotechnology, appointed by the 25
President of the Senate; 26
(2) one member of the House of Delegates who is a member of the Joint 27
Committee on Cybersecurity, Information Technology, and Biotechnology, appointed by the 28
Speaker of the House; 29
(3) the Secretary of Information Technology, or the Secretary’s designee; 30
(4) the Secretary of Emergency Management, or the Secretary’s designee; 31
(5) the Director of Local Cybersecurity in the Office of Security 32
Management in the Department of Information Technology; 33 SENATE BILL 692 3
(6) the Chief Information Security Officer in the Office of Security 1
Management in the Department of Information Technology; 2
(7) the State Chief Data Officer; 3
(8) the State Chief Privacy Officer; 4
(9) one representative of the Maryland Association of Counties, designated 5
by the President of the Association; 6
(10) one representative of the Maryland Municipal League, designated by 7
the President of the League; 8
(11) one representative of the Maryland Association of Community Colleges, 9
designated by the Executive Director of the Association; 10
(12) one representative of the Maryland Independent College and 11
University Association, designated by the Executive Director of the Association; 12
(13) one representative of the University System of Maryland, designated 13
by the Chancellor; 14
(14) one representative of the Cybersecurity Association of Maryland, 15
designated by the Executive Director of the Association; 16
(15) one representative of the Maryland Cybersecurity Council, designated 17
by the Attorney General; and 18
(16) four representatives of private cybersecurity companies currently in 19
good standing with the State Department of Assessments and Taxation, designated by the 20
Executive Director of the Cybersecurity Association of Maryland. 21
(c) The President of the Senate and the Speaker of the House shall jointly 22
designate the chair and vice chair of the Workgroup from among the members of the 23
Workgroup appointed by the President and the Speaker. 24
(d) The Office of the Governor shall provide staff for the Workgroup. 25
(e) A member of the Workgroup: 26
(1) may not receive compensation as a member of the Workgroup; but 27
(2) is entitled to reimbursement for expenses under the Standard State 28
Travel Regulations, as provided in the State budget. 29
(f) The Workgroup shall: 30 4 SENATE BILL 692
(1) examine data protection standards that have been proposed or adopted 1
in other states and used by governmental entities; 2
(2) identify existing standards that would be best assimilated by State 3
agencies; and 4
(3) develop recommendations on, and assess the fiscal impact of: 5
(i) data protection standards for State and local government 6
agencies to adopt and implement; 7
(ii) data inventory practices by State and local government agencies; 8
(iii) implementation of least privilege access policies; 9
(iv) user access auditing policies; 10
(v) threat detection and response practices; and 11
(vi) policies around notifying citizens of data breaches. 12
(g) Funds appropriated to the Dedicated Purpose Account established under § 13
7–310 of the State Finance and Procurement Article for cybersecurity purposes may be used 14
to support the Workgroup’s activities. 15
(h) On or before December 1, 2024, the Workgroup shall submit an interim report 16
of its findings and recommendations to the Governor and, in accordance with § 2–1257 of 17
the State Government Article, the General Assembly. 18
(i) On or before June 30, 2025, the Workgroup shall submit a final report of its 19
findings and recommendations to the Governor and, in accordance with § 2–1257 of the 20
State Government Article, the General Assembly. 21
SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take effect July 22
1, 2024. It shall remain effective for a period of 2 years and, at the end of June 30, 2026, 23
this Act, with no further action required by the General Assembly, shall be abrogated and 24
of no further force and effect. 25